关联漏洞
标题:
Apache Tomcat 环境问题漏洞
(CVE-2025-24813)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 11.0.0-M1至11.0.2版本、10.1.0-M1至10.1.34版本和9.0.0.M1至9.0.98版本存在环境问题漏洞。攻击者利用该漏洞可以远程执行代码或泄露敏感信息。
描述
Automated scanner + exploit for CVE-2025-24813
介绍
# CVE-2025-24813 Exploit Toolkit
This is an advanced and automated exploitation tool for **CVE-2025-24813**, targeting Apache Tomcat servers vulnerable to insecure session deserialization.
## 🔍 Features
- Multi-target scanning from file or single URL (`--targets` / `--url`)
- Automatic gadget chain testing (CommonsCollections1-7, BeanShell, Spring, etc.)
- OS detection and post-exploitation payloads (Linux/Windows)
- Session ID discovery from common endpoints
- Verbose logging to both console and file
- TLS (HTTPS) support with optional SSL verification disabling
## ⚙️ Usage
```bash
# Single target
python3 exploit_cve_2025_24813.py \
--url http://target:8080 \
--ysoserial ysoserial.jar \
--no-ssl-verify
# Multiple targets from file
python3 exploit_cve_2025_24813.py \
--targets targets.txt \
--ysoserial ysoserial.jar \
--no-ssl-verify
```
## 📥 Requirements
Python 3.6+
Java Runtime (for ysoserial)
ysoserial Java binary
## ⚠️ Legal Disclaimer
This tool is provided for educational and authorized security testing purposes only. Any unauthorized use against systems you do not own or have explicit permission to test is strictly prohibited and may be illegal.
📚 Credits
This project was inspired by a public PoC published under the Apache License 2.0.
Original PoC author: absholi7ly
Enhanced and rewritten by mehrdad mirabi
文件快照
[4.0K] /data/pocs/afb6a28c2ca8d9e8fcbd0c8eb058b9904e09772a
├── [6.5K] cve_2025_24813_poc.py
├── [1.1K] LICENSE
└── [1.4K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。