POC详情: e9379e17b4344a89a33c3a8081303d49b3acb419

来源
https://github.com/x00byte/PutScanner
关联漏洞
标题: Apache Tomcat 环境问题漏洞 (CVE-2025-24813)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 11.0.0-M1至11.0.2版本、10.1.0-M1至10.1.34版本和9.0.0.M1至9.0.98版本存在环境问题漏洞。攻击者利用该漏洞可以远程执行代码或泄露敏感信息。
描述
A tool that identifies writable web directories in Apache Tomcat via HTTP PUT method [CVE-2025-24813]
介绍
# 🔍 PUT Directory Scanner

A penetration testing tool that identifies writable web directories via HTTP PUT method, specifically designed to detect **CVE-2025-24813** (Arbitrary File Upload in Apache Tomcat).
## 📌 Features

- **Smart Protocol Handling**: Auto-detects HTTPS/HTTP with fallback
- **Comprehensive Checks**: Tests all common Tomcat directories
- **Two-Stage Verification**: PUT + GET validation to eliminate false positives
- **Pentester-Friendly Output**: Color-coded results with manual verification commands
- **CVE-Focused**: Optimized for detecting assets with pre-requisites for CVE-2025-24813 

## 🚀 Installation

```bash
git clone https://github.com/x00byte/PutScanner.git
cd PutScanner
```

## 🛠️ Usage

### Basic Scan
```bash
./putscanner.py target.com:8080
```
![PUT Scanner Banner](assets/banner.jpg) <!-- Your main promotional image here -->
### Advanced Options
| Flag            | Description                          |
|-----------------|--------------------------------------|
| `-v`            | Verbose mode                         |
| `--ignore-ssl`  | Bypass SSL certificate verification |
| `-f targets.txt`| Scan multiple targets from file      |

## 🖥️ Demonstration

## 🧪 Test Environment Setup

1. Start the included test server:
```bash
python3 test_server.py
```

2. Run the scanner against it:
```bash
./putscanner.py http://localhost:8080 -v
```

## Live Test Results

Below is a demonstration of putscanner in use and the different scenarios it can test for.


![Test Server Scan Results](assets/test-scan.png) <!-- Your test server screenshot here -->

```

## 📜 Legal Disclaimer

**WARNING**: This tool is intended for **authorized penetration testing only**.
Unauthorized use against systems without explicit permission is illegal.


## 📄 License

MIT License - See [LICENSE](LICENSE) for full text.
文件快照

 [4.0K]  /data/pocs/e9379e17b4344a89a33c3a8081303d49b3acb419
├── [4.0K]  assets
│   ├── [ 34K]  banner.jpg
│   ├── [253K]  test-scan.jpg
│   └── [260K]  test-scan.png
├── [1.0K]  LICENSE
├── [7.3K]  putscanner.py
├── [1.8K]  README.md
└── [1.2K]  test_server.py

1 directory, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。