CVE-2020-9484 PoC — Apache Tomcat 代码问题漏洞

Title:Apache Tomcat 代码问题漏洞 (CVE-2020-9484)
Description:When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

利用ceye批量检测CVE-2020-9484

**工具仅用于安全研究以及内部自查，禁止使用工具发起非法攻击，造成的后果使用者负责**

**工具仅用于安全研究以及内部自查，禁止使用工具发起非法攻击，造成的后果使用者负责**

**工具仅用于安全研究以及内部自查，禁止使用工具发起非法攻击，造成的后果使用者负责**

脚本基于<https://github.com/threedr3am/tomcat-cluster-session-sync-exp>，采用多进程调用`tomcat-cluster-session-sync-exp-1.0-SNAPSHOT-jar-with-dependencies.jar`，通过ceye.io来证明漏洞是否真实存在。

**注意：脚本还未经过测试，可能不可用！**

1. 资产文件格式说明：`IP<空格>PORT`，可参考ips.txt；
2. 修改脚本中的ceye.io地址为自己账号对应的地址；
3. 多进程数量修改`pool = ProcessPoolExecutor(10)`，默认10个进程数;

 [4.0K]  /data/pocs/7a1c8b8822e4d5fad7f8738acafebf2de963b55c
├── [  33]  ips.txt
├── [ 841]  poc.py
├── [ 875]  README.md
└── [653K]  tomcat-cluster-session-sync-exp-1.0-SNAPSHOT-jar-with-dependencies.jar

0 directories, 4 files