Author: Amateur grass
Source: https: //www.xttblog.com/ p = 4809?
Yesterday, the group chat Hi a. Everyone telecommuting, but had hurriedly upgraded online version of Tomcat, Tomcat reason is a serious flaw has been discovered, involving almost all editions.
First, the principle of vulnerability
Specifically, the Apache Tomcat server that contains the vulnerability of file, an attacker could exploit this vulnerability comprise any files or read all the webapp directory Tomcat, such as: webapp configuration file or other source.
Because enabled by default Tomcat AJP service (port 8009) there is a file containing the flaw, an attacker could construct a malicious file containing the request packet operation, and then read by the Web directory files on the affected Tomcat server.
Second, the vulnerability numbers
According to statistics, two vulnerabilities related to the number.
CVE-2020-1938
CNVD-2020-1048
Third, the impact of vulnerabilities version
Apache Tomcat 6
Apache Tomcat 7 < 7.0.100
Apache Tomcat 8 < 8.5.51
Apache Tomcat 9 < 9.0.31
Fourth, the vulnerability details
First start apache tamcat services, visit localhost: 8080 can successfully access the following interface.
By the map, we can determine the version number of the corresponding Tomcat.
Then use vulnerability scanning tools for their port scan found 8009,8080 ports are open, proved the vulnerability.
Then, you can use the script on github attack others written presentation. Download the following address, there are two. They can choose one.
Poc1 Download: https://github.com/0nise/CVE-2020-1938
Poc2 下载地址:https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
下载好后进入该文件夹 cmd 命令执行并加上网址参数利用 poc。需要注意的是 poc 为 py2 环境。然后执行下面的命令。
执行成功后就可以看到成功访问到该文件 web.xml。其他的 WEB-INF 下面的文件都可以访问到,包括你的源码文件,jsp、html、.class 等。
五、漏洞修复方案
1、禁用Tomcat 的 AJP 协议端口,在 conf/server.xml 配置文件中注释掉 <Connector port="8009" protocol="AJP/1.3"redirectPort="8443" />。
2、在 ajp 配置中的 secretRequired 跟 secret 属性来限制认证。
3、对 Tomcat 进行版本升级。
六、写在最后
你们公司有没有用 Tomcat?用的版本是多少?有没有中招?欢迎留言区评论交流!
