Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to reproduce the session manipulation loophole of Tomcat sample column directory

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article introduces how to reproduce the Tomcat sample catalog session manipulation loopholes, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Reproduce the origin:

Recently, there are more and more ApacheTomcat middleware in the project, so. Thinking about doing a clean-up. Summarize and reproduce several important high-risk vulnerabilities of ApacheTomcat middleware. Used to consolidate and update your knowledge base.

Digression: today we reproduce session manipulation vulnerabilities in the Tomcat sample directory. In practice, I have also encountered some sample directories examples open to manipulate some Tomcat of the global session. But the loophole is a chicken rib. Perhaps because of our circle problems, we have heard the boss say that only the author who released the vulnerability has successfully exploited it, and so far no one has successfully exploited it. The reason is that we will write three background landing pages later.

Vulnerability description:

The examples sample directory exists on the ApacheTomcat default installation page. Some sample service scripts and interfaces of Servlets, JSP and WebSocket are stored in it. There is a sample of session under the Servletsexamples service sample. This sample allows the user to manipulate the session. Because session is universal, you can use the session in this example to manipulate the administrator's session for session transmission and manipulate the administrator's account for malicious operations.

Vulnerability analysis:

Let's look directly at the core code:

The core code of the session control above means that the user submits two parameter values, name and value, through the form. Then get the name and value values through the getParameter () function in request. Then the obtained name and value values are passed to the session through the session.setAttribute () function. That is, you can control the session value through the front-end page to obtain administrator privileges.

Recurrence of vulnerabilities:

Vulnerability recurrence environment:

Tomcat7.0.88

JDK1.8.0_181

Burp2.0

Here, the version of Tomcat built by yourself shall prevail. There is no need to look for a corresponding version of Tomcat.

When the environment is ready, we begin to recreate it.

Http://127.0.0.1:8080/examples/servlets/servlet/SessionExample

Let's go to the session execute button under servlets under the Examples sample directory.

In Thefollowing data is in yoursession, let's execute the name name and value value to get the session session value we need. The following GETbased form

My understanding is to log in by passing values through GET. So we don't have to pay attention to this one.

Here we need three pages to help us reproduce this vulnerability. Because in

By default, there is no simulated landing page under the Examples sample directory, so we need these three pages to simulate the background access to the login website by manipulating session values.

Login.jsp:

Index.jsp:

Login_test.jsp:

After three pages are ready, place them in the examples sample directory. We can start to recreate the loophole.

First of all, we simulate visiting the index.jsp page, when he does not get the session value of admin, so the code logic will do a 302 hop redirect to the login_test.jsp page.

Next we get and pass the session of admin under the sample directory.

Then visit the index.jsp page. At this point, the session value of admin is obtained. Code logic is the output of a successful login.

Next we visit the login.jsp page and pass in the value of an account through the post form. You can find the jump to index.jsp. Here to manipulate the session to bypass the login reproduction completed.

Vulnerability fixes:

Disable access to or directly delete resources under the examples sample directory. Make directory access settings to prevent directory traversal.

On how to reproduce the Tomcat sample directory session manipulation vulnerabilities are shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report