# N/A
## 概述
在特定配置下,攻击者可以利用Apache Tomcat中的远程代码执行漏洞进行攻击。该漏洞要求攻击者能够控制服务器上的文件内容及其名称,并知道文件存储位置的相对路径。
## 影响版本
- 10.0.0-M1 到 10.0.0-M4
- 9.0.0.M1 到 9.0.34
- 8.5.0 到 8.5.54
- 7.0.0 到 7.0.103
## 细节
- 攻击者需要能够控制服务器上的文件内容和文件名称。
- 服务器配置使用PersistenceManager和FileStore。
- PersistenceManager配置为`sessionAttributeValueClassNameFilter="null"`(默认值,除非使用SecurityManager)或允许反序列化的过滤器松弛。
- 攻击者需要知道文件存储位置的相对路径。
## 影响
如果上述条件全部满足,攻击者可以通过精心构造的请求触发远程代码执行,从而执行任意代码。
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | tomcat使用了自带session同步功能时,不安全的配置(没有使用EncryptInterceptor)导致存在的反序列化漏洞,通过精心构造的数据包, 可以对使用了tomcat自带session同步功能的服务器进行攻击。PS:这个不是CVE-2020-9484,9484是session持久化的洞,这个是session集群同步的洞! | https://github.com/threedr3am/tomcat-cluster-session-sync-exp | POC详情 |
| 2 | None | https://github.com/masahiro331/CVE-2020-9484 | POC详情 |
| 3 | 利用ceye批量检测CVE-2020-9484 | https://github.com/seanachao/CVE-2020-9484 | POC详情 |
| 4 | 用Kali 2.0复现Apache Tomcat Session反序列化代码执行漏洞 | https://github.com/IdealDreamLast/CVE-2020-9484 | POC详情 |
| 5 | for Ubuntu 18.04, improve functions. | https://github.com/qerogram/CVE-2020-9484 | POC详情 |
| 6 | CVE-2020-9484 Mass Scanner, Scan a list of urls for Apache Tomcat deserialization (CVE-2020-9484) which could lead to RCE | https://github.com/osamahamad/CVE-2020-9484-Mass-Scan | POC详情 |
| 7 | None | https://github.com/anjai94/CVE-2020-9484-exploit | POC详情 |
| 8 | None | https://github.com/PenTestical/CVE-2020-9484 | POC详情 |
| 9 | A smol bash script I threw together pretty quickly to scan for vulnerable versions of the Apache Tomcat RCE. I'll give it some love when I have the time. | https://github.com/DanQMoo/CVE-2020-9484-Scanner | POC详情 |
| 10 | None | https://github.com/AssassinUKG/CVE-2020-9484 | POC详情 |
| 11 | POC for CVE-2020-9484 | https://github.com/VICXOR/CVE-2020-9484 | POC详情 |
| 12 | None | https://github.com/DXY0411/CVE-2020-9484 | POC详情 |
| 13 | Apache Tomcat RCE (CVE-2020-9484) | https://github.com/RepublicR0K/CVE-2020-9484 | POC详情 |
| 14 | POC - Apache Tomcat Deserialization Vulnerability (CVE-2020-9484) | https://github.com/ColdFusionX/CVE-2020-9484 | POC详情 |
| 15 | Exploit for Apache Tomcat deserialization (CVE-2020-9484) which could lead to RCE | https://github.com/d3fudd/CVE-2020-9484_Exploit | POC详情 |
| 16 | small test to prevent sql injections attack. 🔒 CVE-2020-9484 | https://github.com/pxcs/webLogin-DEV | POC详情 |
| 17 | Remake of CVE-2020-9484 by Pentestical | https://github.com/0dayCTF/CVE-2020-9484 | POC详情 |
| 18 | Bash POC for CVE-2020-9484 that i used in tryhackme challenge | https://github.com/Disturbante/CVE-2020-9484 | POC详情 |
| 19 | Remake of CVE-2020-9484 by Pentestical | https://github.com/deathquote/CVE-2020-9484 | POC详情 |
| 20 | PoC exploit for CVE-2020-9484, and a vulnerable web application for its demonstration | https://github.com/savsch/PoC_CVE-2020-9484 | POC详情 |
| 21 | When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-9484.yaml | POC详情 |
暂无评论