Shulou(Shulou.com)05/31 Report--

In this issue, Xiaobian will bring you about how to implement Apache Tomcat sample directory session manipulation vulnerabilities. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

0x00 Background

Some time ago, I scanned the loopholes and studied them. I felt quite interesting. I sent them out to share with you. If there is anything wrong, please correct me.

The Apache Tomcat default installation contains the "/examples" directory, which contains numerous examples, including session examples (/examples/servlets/servlets/SessionExample) that allow users to manipulate sessions. Because sessions are global, users can gain administrator privileges by manipulating sessions.

0x01 Vulnerability Analysis Demo

First, let's take a look at some of the source code of SessionExample.

//form code

out.println("

");

out.print("");

out.println(rb.getString("sessions.dataname"));

out.println("");

out.println("

");

out.println(rb.getString("sessions.datavalue"));

out.println("");

out.println("

");

out.println("");

out.println("");

//core code

HttpSession session = request.getSession(true);

out.println(rb.getString("sessions.id") + " " +session.getId());

out.println("

");

out.println(rb.getString("sessions.created") + " ");

out.println(new Date(session.getCreationTime()) +"

");

out.println(rb.getString("sessions.lastaccessed") + "");

out.println(new Date(session.getLastAccessedTime()));

String dataName = request.getParameter("dataname");//Get the value of the dataname parameter

String dataValue = request.getParameter("datavalue");//Get the value of the datavalue parameter

if (dataName != null && dataValue != null) {

session.setAttribute(dataName, dataValue);//write dataname and datavalue to session

}

The user submits dataname and datavalue parameters through the form, then obtains the values of these two parameters through the request.getParameter () function, and then writes the values of dataname and datavalue into the session through the session.setAttribute() function. Because of the universal nature of global sessions, the purpose of webmaster privileges can be obtained by manipulating the value of the session parameter.

For example:

Let's start by writing login.jsp,login2.jsp,index.jsp these three pages, through these three pages to simulate the general website authentication process.

login.jsp

User Name:

Password:

login2.jsp

index.jsp

We directly open the website background, namely index.jsp

http://127.0.0.1:8080/examples/index.jsp

Found redirected to login.jsp, and we can't log in without knowing the password. Next, we will demonstrate how to enter the background of the website by manipulating the session

Open SessionExample

http://127.0.0.1:8080/examples/servlets/servlet/SessionExample

Enter login in Name of Session Attribute:

Enter admin in Value of Session Attribute:

login=admin has been written into session

Open index.jsp again and show successful login

0x02 Repair suggestions

delete

0x03 Diversion

Don't you think this is a good backdoor?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.