Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-53677 PoC — Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

Source
https://github.com/seoyoung-kang/CVE-2024-53677
Associated Vulnerability
Title:Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks (CVE-2024-53677)
Description:File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067
Description
CVE-2024-53677 관련 컨설턴트용 툴 개발
File Snapshot

 [4.0K]  /data/pocs/0c14efa49600c63eac30e5696fcf754e87710a4a
├── [ 27K]  cve_2024_53677_Tool.py
├── [4.0K]  docker
│   ├── [ 25K]  catalina.sh
│   ├── [1.3K]  context.xml
│   ├── [ 689]  Dockerfile
│   ├── [4.0K]  struts-app
│   │   ├── [8.9K]  mvnw
│   │   ├── [5.7K]  mvnw.cmd
│   │   ├── [3.7K]  pom.xml
│   │   ├── [4.0K]  src
│   │   │   └── [4.0K]  main
│   │   │       ├── [4.0K]  java
│   │   │       │   └── [4.0K]  com
│   │   │       │       └── [4.0K]  example
│   │   │       │           ├── [2.0K]  UploadAction.java
│   │   │       │           └── [2.4K]  UploadsAction.java
│   │   │       ├── [4.0K]  resources
│   │   │       │   └── [ 675]  struts.xml
│   │   │       └── [4.0K]  webapp
│   │   │           ├── [ 167]  file.jsp
│   │   │           ├── [ 307]  files.jsp
│   │   │           ├── [ 362]  index.jsp
│   │   │           └── [4.0K]  WEB-INF
│   │   │               └── [1.4K]  web.xml
│   │   └── [4.0K]  target
│   │       └── [4.0K]  classes
│   │           ├── [4.0K]  com
│   │           │   └── [4.0K]  example
│   │           │       ├── [1.3K]  UploadAction.class
│   │           │       └── [1.7K]  UploadsAction.class
│   │           └── [ 675]  struts.xml
│   └── [ 219]  tomcat-users.xml
└── [2.0K]  PoC.py

15 directories, 19 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →