Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-50379 PoC — Apache Tomcat: RCE due to TOCTOU issue in JSP compilation

Source
https://github.com/shoddykilom/CVE-2024-50379
Associated Vulnerability
Title:Apache Tomcat: RCE due to TOCTOU issue in JSP compilation (CVE-2024-50379)
Description:Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Description
tomcat CVE-2024-50379/CVE-2024-56337 条件竞争文件上传exp
Readme
手动利用麻烦,搓一个exp。。

食用:

shell.jsp 是shell文件,ggsl.jsp是保存到目标服务器上的名称/路径

`./CVE-2024-50379 -u http://192.168.2.245:8080 -f shell.jsp -p ggsl.jsp`



![image-20241223151845286](assets/image-20241223151845286.png)

![image-20241223151902375](assets/image-20241223151902375.png)

# 免责声明



本工具仅面向**合法授权**的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。

在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。**请勿对非授权目标进行扫描。**

如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。

在安装并使用本工具前,请您**务必审慎阅读、充分理解各条款内容**,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。  除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
File Snapshot

 [4.0K]  /data/pocs/82b135b5e8d9f6b5fb4d944eaa4a54433ff88f6a
├── [4.0K]  assets
│   ├── [144K]  image-20241223151845286.png
│   └── [246K]  image-20241223151902375.png
├── [4.0K]  fasthttp
│   ├── [1.6K]  allocation_test.go
│   ├── [ 16K]  args.go
│   ├── [ 14K]  args_test.go
│   ├── [ 550]  args_timing_test.go
│   ├── [ 285]  b2s_new.go
│   ├── [ 370]  b2s_old.go
│   ├── [5.2K]  brotli.go
│   ├── [4.4K]  brotli_test.go
│   ├── [ 121]  bytesconv_32.go
│   ├── [1.3K]  bytesconv_32_test.go
│   ├── [ 116]  bytesconv_64.go
│   ├── [1.5K]  bytesconv_64_test.go
│   ├── [6.4K]  bytesconv.go
│   ├── [5.5K]  bytesconv_table_gen.go
│   ├── [7.3K]  bytesconv_table.go
│   ├── [9.5K]  bytesconv_test.go
│   ├── [3.9K]  bytesconv_timing_test.go
│   ├── [1.0K]  client_example_test.go
│   ├── [ 83K]  client.go
│   ├── [ 78K]  client_test.go
│   ├── [ 16K]  client_timing_test.go
│   ├── [4.2K]  client_timing_wait_test.go
│   ├── [ 314]  coarsetime.go
│   ├── [ 638]  coarsetime_test.go
│   ├── [ 12K]  compress.go
│   ├── [5.3K]  compress_test.go
│   ├── [ 15K]  cookie.go
│   ├── [ 11K]  cookie_test.go
│   ├── [ 821]  cookie_timing_test.go
│   ├── [1.3K]  doc.go
│   ├── [4.0K]  examples
│   │   ├── [4.0K]  client
│   │   │   ├── [3.1K]  client.go
│   │   │   ├── [  85]  Makefile
│   │   │   └── [ 939]  README.md
│   │   ├── [4.0K]  fileserver
│   │   │   ├── [3.7K]  fileserver.go
│   │   │   ├── [ 146]  Makefile
│   │   │   ├── [2.1K]  README.md
│   │   │   ├── [1.7K]  ssl-cert-snakeoil.key
│   │   │   └── [1005]  ssl-cert-snakeoil.pem
│   │   ├── [4.0K]  helloworldserver
│   │   │   ├── [1.5K]  helloworldserver.go
│   │   │   ├── [ 105]  Makefile
│   │   │   └── [ 235]  README.md
│   │   ├── [4.0K]  host_client
│   │   │   ├── [ 801]  hostclient.go
│   │   │   ├── [  95]  Makefile
│   │   │   └── [ 419]  README.md
│   │   ├── [4.0K]  letsencrypt
│   │   │   └── [ 825]  letsencryptserver.go
│   │   ├── [4.0K]  multidomain
│   │   │   ├── [  90]  Makefile
│   │   │   ├── [1.3K]  multidomain.go
│   │   │   └── [ 155]  README.md
│   │   └── [  92]  README.md
│   ├── [4.0K]  expvarhandler
│   │   ├── [1.4K]  expvar.go
│   │   └── [1.6K]  expvar_test.go
│   ├── [4.0K]  fasthttpadaptor
│   │   ├── [4.5K]  adaptor.go
│   │   ├── [7.7K]  adaptor_test.go
│   │   ├── [ 292]  b2s_new.go
│   │   ├── [ 377]  b2s_old.go
│   │   ├── [1.5K]  request.go
│   │   └── [ 568]  request_test.go
│   ├── [4.0K]  fasthttpproxy
│   │   ├── [7.8K]  dialer.go
│   │   ├── [7.9K]  dialer_test.go
│   │   ├── [2.2K]  http.go
│   │   ├── [1.0K]  proxy_env.go
│   │   └── [1.0K]  socks5.go
│   ├── [4.0K]  fasthttputil
│   │   ├── [  86]  doc.go
│   │   ├── [3.1K]  inmemory_listener.go
│   │   ├── [5.8K]  inmemory_listener_test.go
│   │   ├── [5.5K]  inmemory_listener_timing_test.go
│   │   ├── [6.6K]  pipeconns.go
│   │   └── [8.4K]  pipeconns_test.go
│   ├── [ 577]  fs_example_test.go
│   ├── [ 18K]  fs_fs_test.go
│   ├── [ 48K]  fs.go
│   ├── [1.1K]  fs_handler_example_test.go
│   ├── [ 26K]  fs_test.go
│   ├── [3.1K]  fuzz_test.go
│   ├── [ 342]  go.mod
│   ├── [1.5K]  go.sum
│   ├── [102K]  header.go
│   ├── [2.4K]  header_regression_test.go
│   ├── [5.7K]  headers.go
│   ├── [ 94K]  header_test.go
│   ├── [5.6K]  header_timing_test.go
│   ├── [ 66K]  http.go
│   ├── [ 84K]  http_test.go
│   ├── [4.5K]  http_timing_test.go
│   ├── [ 914]  lbclient_example_test.go
│   ├── [4.9K]  lbclient.go
│   ├── [1.1K]  LICENSE
│   ├── [ 478]  methods.go
│   ├── [ 378]  nocopy.go
│   ├── [2.2K]  peripconn.go
│   ├── [ 881]  peripconn_test.go
│   ├── [4.0K]  pprofhandler
│   │   └── [1.3K]  pprof.go
│   ├── [4.0K]  prefork
│   │   ├── [6.1K]  prefork.go
│   │   ├── [4.1K]  prefork_test.go
│   │   └── [2.1K]  README.md
│   ├── [ 31K]  README.md
│   ├── [  31]  request_body.zst
│   ├── [ 742]  requestctx_setbodystreamwriter_example_test.go
│   ├── [4.0K]  reuseport
│   │   ├── [1.1K]  LICENSE
│   │   ├── [ 633]  reuseport_aix.go
│   │   ├── [ 302]  reuseport_error.go
│   │   ├── [ 476]  reuseport_example_test.go
│   │   ├── [1.3K]  reuseport.go
│   │   ├── [ 853]  reuseport_test.go
│   │   └── [ 646]  reuseport_windows.go
│   ├── [ 515]  round2_32.go
│   ├── [ 788]  round2_32_test.go
│   ├── [ 392]  round2_64.go
│   ├── [ 838]  round2_64_test.go
│   ├── [ 201]  s2b_new.go
│   ├── [ 431]  s2b_old.go
│   ├── [2.3K]  SECURITY.md
│   ├── [5.4K]  server_example_test.go
│   ├── [ 85K]  server.go
│   ├── [ 896]  server_race_test.go
│   ├── [108K]  server_test.go
│   ├── [ 11K]  server_timing_test.go
│   ├── [4.0K]  stackless
│   │   ├── [ 143]  doc.go
│   │   ├── [1.6K]  func.go
│   │   ├── [1.6K]  func_test.go
│   │   ├── [ 689]  func_timing_test.go
│   │   ├── [2.5K]  writer.go
│   │   └── [2.7K]  writer_test.go
│   ├── [7.6K]  status.go
│   ├── [ 796]  status_test.go
│   ├── [ 760]  status_timing_test.go
│   ├── [1.1K]  stream.go
│   ├── [2.2K]  streaming.go
│   ├── [5.5K]  streaming_test.go
│   ├── [2.2K]  stream_test.go
│   ├── [1.3K]  stream_timing_test.go
│   ├── [3.9K]  strings.go
│   ├── [ 15K]  tcpdialer.go
│   ├── [4.0K]  testdata
│   │   └── [   1]  test.png
│   ├── [1.2K]  timer.go
│   ├── [1.4K]  tls.go
│   ├── [ 197]  TODO
│   ├── [ 23K]  uri.go
│   ├── [ 16K]  uri_test.go
│   ├── [1.2K]  uri_timing_test.go
│   ├── [ 203]  uri_unix.go
│   ├── [ 237]  uri_windows.go
│   ├── [ 451]  uri_windows_test.go
│   ├── [1.5K]  userdata.go
│   ├── [2.8K]  userdata_test.go
│   ├── [ 918]  userdata_timing_test.go
│   ├── [5.0K]  workerpool.go
│   ├── [3.5K]  workerpool_test.go
│   ├── [4.3K]  zstd.go
│   └── [2.3K]  zstd_test.go
├── [ 387]  go.mod
├── [2.4K]  go.sum
├── [5.8K]  main.go
└── [1.3K]  README.md

18 directories, 156 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →