CVE-2024-53677 PoC — Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

Source

https://github.com/yangyanglo/CVE-2024-53677

Associated Vulnerability

Title:Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks (CVE-2024-53677)
Description:File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

Readme

POC来自

https://y4tacker.github.io/2024/12/16/year/2024/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%80%BB%E8%BE%91%E7%BB%95%E8%BF%87-CVE-2024-53677-S2-067/

RCE条件

1.对危险类型后缀名无限制

2.上传文件时从上传参数中获取文件名

因此缓释修复也很简单，限制后缀名、使用自定义随机文件名称等

python3 s2-067.py -h 

<img width="737" alt="image" src="https://github.com/user-attachments/assets/a0513b72-a068-4524-ac47-ae97ffd52234" />

python3 s2-067.py -u http://localhost:28080/uploadFile -filename ../poc.jsp -file 2.jsp -type s

<img width="783" alt="image" src="https://github.com/user-attachments/assets/aa6fe12a-2dfe-461a-8aca-0bb00c45a79c" />

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →