关联漏洞
标题:
Apache Struts 安全漏洞
(CVE-2023-50164)
描述:Apache Struts是美国阿帕奇(Apache)基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 存在安全漏洞,该漏洞源于file upload参数存在路径遍历漏洞。攻击者可利用该漏洞上传恶意文件并执行远程代码。受影响的产品和版本:Apache Struts 2.0.0至2.5.32版本,6.0.0至6.3.0.1版本。
描述
Vulnerable docker container for Apache Struts 2 RCE CVE-2023-50164
介绍
# CVE-2023-50164 : Apache Struts 2 vulnerable Docker container
Apache has recently released an advisory regarding CVE-2023-50164, a critical vulnerability with a severity rating of 9.8 that affects Apache Struts 2.
CVE-2023-50164 is intricately tied to an organization's Apache Struts architecture and the way it uses its file upload feature, enabling unauthorized path traversal that could be abused to upload a malicious file and perform remote code execution (RCE).
This repository contains a Dockerfile to understand and manipulate the vulnerability. **The weaponized exploit code is not supplied.**
## Usage
Below, commands to run the lab (you can copy/paste in your shell) :
```bash
git clone https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker.git
cd CVE-2023-50164-ApacheStruts2-Docker
docker build --ulimit nofile=122880:122880 -m 3G -t cve-2023-50164 .
docker run -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name cve-2023-50164 cve-2023-50164
curl http://localhost:8080/upload.action
```
Verify with CUrl to check app availability.
```html
curl http://localhost:8080/upload.action
<html>
<head>
<title>File upload</title>
</head>
<body>
<h1>💣 CVE-2023-50164</h1>
<p>Welcome to CVE-2023-50164 lab. You can practice with the file upload feature below. Find a way yo bypass the filter 😉</p>
<form id="upload" name="upload" action="/upload.action" method="post" enctype="multipart/form-data">
<table class="wwFormTable">
<tr>
<td class="tdLabel"></td>
<td class="tdInput"><input type="file" name="upload" id="upload_upload" /></td>
</tr>
<tr>
<td colspan="2">
<div class="formButton"><input type="submit" value="Submit" id="upload_0" />
</div>
</td>
</tr>
</table>
</form>
</body>
</html>
```
Happy pwning ! 😉
## Video
## Source
This project is heavily inspired from [Jakabakos work](https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE/tree/main).
Below, list of articles to understand the flaw :
- https://xz.aliyun.com/t/13172
- https://www.trendmicro.com/en_no/research/23/l/decoding-cve-2023-50164--unveiling-the-apache-struts-file-upload.html
文件快照
[4.0K] /data/pocs/aea144ebe26f1808ecf7b17bba35d61d834b7ab9
├── [1.3K] context.xml
├── [ 560] Dockerfile
├── [2.3K] README.md
├── [4.0K] struts-app
│ ├── [8.9K] mvnw
│ ├── [5.7K] mvnw.cmd
│ ├── [3.7K] pom.xml
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] org
│ │ └── [4.0K] trackflaw
│ │ └── [4.0K] example
│ │ └── [2.2K] Upload.java
│ ├── [4.0K] resources
│ │ └── [ 870] struts.xml
│ └── [4.0K] webapp
│ ├── [ 219] index.html
│ └── [4.0K] WEB-INF
│ ├── [ 587] error.jsp
│ ├── [ 658] success.jsp
│ ├── [ 728] upload.jsp
│ └── [1.1K] web.xml
├── [ 219] tomcat-users.xml
└── [ 12M] video.gif
10 directories, 15 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。