CVE-2020-1938 PoC — Apache Tomcat 安全漏洞

Title:Apache Tomcat 安全漏洞 (CVE-2020-1938)
Description:When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Cnvd-2020-10487 / cve-2020-1938, scanner tool

### python2多线程扫描Tomcat-Ajp协议文件读取漏洞
刷src分狗的福利
poc来源于[https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/](https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/)，`poc作者不是本人！！！！`
## 操作
### 1、将需要扫描的域名/ip放于 ip.txt
ip.txt中不需要加协议，比如
```
127.0.0.1
www.baidu.com
www.google.com
```
### 2、python threading-find-port-8009.py
将会生成8009.txt，作用为扫描ip.txt中域名/ip找出开放8009端口
### 3、python threading-CNVD-2020-10487-Tomcat-Ajp-lfi.py
从8009.txt中筛选出符合漏洞的url,放置于vul.txt中
`最后vul.txt中存在的域名即为含有漏洞的域名`
亲测补天公益src有上百站点，教育src大概三百站点包含此漏洞
![](1.png)
### 4、测试
拿 CNVD-2020-10487-Tomcat-Ajp-lfi.py测试即可
`python CNVD-2020-10487-Tomcat-Ajp-lfi.py target.com`
## 本项目仅供学习，严禁用于非法操作
ps1:两个脚本的最后一行均为线程数-默认是20，可自行修改      
位于threading-find-port-8009.py 67行     
         
threading-CNVD-2020-10487-Tomcat-Ajp-lfi.py 341行         

```
thread_num=20
```


ps2:src域名收集文件夹中为本人收集的教育src和补天src的一些域名，可直接测试

 [4.0K]  /data/pocs/fa4dd156c5cd744fdad837a336d834af0e744167
├── [ 37K]  1.png
├── [ 11K]  CNVD-2020-10487-Tomcat-Ajp-lfi.py
├── [ 178]  ip.txt
├── [1.3K]  README.md
├── [4.0K]  src域名收集
│   ├── [409K]  butian-src-url.txt
│   └── [254K]  jiaoyu-src-url.txt
├── [ 11K]  threading-CNVD-2020-10487-Tomcat-Ajp-lfi.py
└── [1.9K]  threading-find-port-8009.py

1 directory, 8 files