openkylin
/
openkylin-exploit-db
mirror of https://gitee.com/openkylin/openkylin-exploit-db.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
openkylin-exploit-db/cve/apache-tomcat/2020/CVE-2020-1938
History
李海花 b88d23a1bf Fix uncorrect image path 2023-03-15 01:27:46 +00:00
..
img add CVE-2020-1938 2023-03-15 01:27:46 +00:00
CVE-2020-1938.py add CVE-2020-1938 2023-03-15 01:27:46 +00:00
README.md Fix uncorrect image path 2023-03-15 01:27:46 +00:00

README.md

Vulnerability Analysis and Exploits

Vulnerability principle:

When tomcat processes a request, it will try to get the value from Request Attribute of javax.servlet.include.servlet_path. The Default Servlet takes it as the file path of the static resource file to be requested and JspServlet takes it as the file path of the JSP file to be requested. Because this attribute is controllable, we can read any file in the webapp directory through the Request Attribute.

The vulnerability exists when the conditions of RCE are met:

Web applications need to allow files to be uploaded and stored in web applications. Otherwise, attackers will have to control the content of web applications in some way. This situation, together with the ability to process files as JSPS (through vulnerabilities), will make rce possible.

steps:

  1. Through ghostcat vulnerability, an attacker can read any file in the webapp directory deployed under Tomcat by using the AJP connection which is usually found on port 8009.
  2. At the same time, if this application has upload function in the website service, the attacker can also upload a malicious file containing JSP code to the server (upload file can be any type, image, plain text file, etc.), and then use ghostcat to include the file, so as to achieve the harm of code execution.

Exploits Demo

Tools: Kali-linux 64 bit Virtual Machine, Tomcat-8.5.32, JRE8 environment.

  1. Search the image of tomcat-8.5.32 by Docker[5].

    command: docker search tomcat-8.5.32

    the command of docker installation: apt install docker.io

[![search image](img/search image.png)](https://github.com/Siyang9065/img/blob/main/search image.png?raw=true)

  1. Pull image of tomcat and load it to local virtual machine.

    command: docker search duonghuuphuc/tomcat-8.5.32

[![pull image](img/pull image.png)](https://github.com/Siyang9065/img/blob/main/pull image.png?raw=true)

  1. Run ports 8080 and 8009 after create the container of this image.

    command: docker run -d -p 8080:8080 -p 8009:8009 --name ghostcat duonghuuphuc/tomcat-8.5.32

    -d: Run container in background and return container ID.

    -p: the internal port of the container is bound to the specified host port.

    --name: specify the name of container.

[![run ports](img/run tomcat.png)](https://github.com/Siyang9065/img/blob/main/run tomcat.png?raw=true)

  1. Use the tool Nmap[6] to scan whether the ports 8080 and 8009 of the local IP address are open.

    command: nmap <IP address>

[![check ports](img/check ports.png)](https://github.com/Siyang9065/img/blob/main/check ports.png?raw=true)

  1. Check if the Tomcat environment is working properly in web browser.

run tomcat

  1. Run python vulnerability script in the host port 8009 to read files which are in the webapp directory.

    command: python CVE-2020-1938.py <IP address> -p 8009 -f WEB-INF/web.xml

    -p: specify the port

    -f: specify the location of the file to be read

[![exploit script](img/exploit script.png)](https://github.com/Siyang9065/img/blob/main/exploit script.png?raw=true)

[![read web file](img/read files.png)](https://github.com/Siyang9065/img/blob/main/read files.png?raw=true)

[![read index file](img/read index file.png)](https://github.com/Siyang9065/img/blob/main/read index file.png?raw=true)