The Apache Struts 2 versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 have a flaw in their Jakarta Multipart parser. This flaw causes incorrect handling of exceptions and generation of error messages when attempting to upload files. As a result, attackers can remotely execute arbitrary commands by exploiting a crafted HTTP header such as Content-Type, Content-Disposition, or Content-Length.
python exploit.py -r <rhost-url> -c <desired-command>