Apache has recently released an advisory regarding CVE-2023-50164, a critical vulnerability with a severity rating of 9.8 that affects Apache Struts 2.
CVE-2023-50164 is intricately tied to an organization's Apache Struts architecture and the way it uses its file upload feature, enabling unauthorized path traversal that could be abused to upload a malicious file and perform remote code execution (RCE).
This repository contains a Dockerfile to understand and manipulate the vulnerability. The weaponized exploit code is not supplied.
Below, commands to run the lab (you can copy/paste in your shell) :
git clone https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker.git
cd CVE-2023-50164-ApacheStruts2-Docker
docker build --ulimit nofile=122880:122880 -m 3G -t cve-2023-50164 .
docker run -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name cve-2023-50164 cve-2023-50164
curl http://localhost:8080/upload.action
Verify with CUrl to check app availability.
curl http://localhost:8080/upload.action
<html>
<head>
<title>File upload</title>
</head>
<body>
<h1>💣 CVE-2023-50164</h1>
<p>Welcome to CVE-2023-50164 lab. You can practice with the file upload feature below. Find a way yo bypass the filter 😉</p>
<form id="upload" name="upload" action="/upload.action" method="post" enctype="multipart/form-data">
<table class="wwFormTable">
<tr>
<td class="tdLabel"></td>
<td class="tdInput"><input type="file" name="upload" id="upload_upload" /></td>
</tr>
<tr>
<td colspan="2">
<div class="formButton"><input type="submit" value="Submit" id="upload_0" />
</div>
</td>
</tr>
</table>
</form>
</body>
</html>
Happy pwning ! 😉
This project is heavily inspired from Jakabakos work.
Below, list of articles to understand the flaw :