漏洞说明
该漏洞是由于Tomcat AJP协议存在缺陷而导致,攻击者利用该漏洞可通过构造特定参数,读取服务器webapp下的任意文件。若目标服务器同时存在文件上传功能,攻击者可进一步实现远程代码执行。目前,厂商已发布新版本完成漏洞修复。
受影响版本
- Apache Tomcat 6
- Apache Tomcat 7 < 7.0.100
- Apache Tomcat 8 < 8.5.51
- Apache Tomcat 9 < 9.0.31
不受影响版本
- Apache Tomcat = 7.0.100
- Apache Tomcat = 8.5.51
- Apache Tomcat = 9.0.31
Exp 漏洞利用
1 | $ git clone git@github.com:yangb92/AJPy.git |
实战经验:
- 如果目标默认的AJP端口改变, 扫描所有开放端口,逐个进行测试。改变默认端口参数: —port=8812
- 如果目标出现302授权跳转,需要在tomcat.py/perform_request函数提供默认参数headers={“cookie”:”xxx”},添加已认证的cookie
If you like this blog or find it useful for you, you are welcome to comment on it. You are also welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them. Thank you !