Apache Tomcat Template improvements (#3446)

* Improved Tomcat matchers / extractors / paths

* removed duplicate detections / matchers

* removed duplicate template

* Added missing tomcat tags
patch-1
Sandeep Singh 2021-12-29 19:10:59 +05:30 committed by GitHub
parent d6da741663
commit de9c4d605c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 42 additions and 88 deletions

View File

@ -4,7 +4,7 @@ info:
name: Apache Tomcat RCE
author: pikpikcu
severity: high
tags: cve,cve2017,apache,rce
tags: cve,cve2017,apache,rce,tomcat
reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
description: |
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
@ -49,7 +49,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
part: body
- type: status
status:
- 200

View File

@ -4,14 +4,14 @@ info:
name: Apache Tomcat JK Status Manager Access
author: harshbothra_
severity: high
description: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
reference: https://github.com/immunIT/CVE-2018-11759
tags: cve,cve2018,apache
tags: cve,cve2018,apache,tomcat
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2018-11759
cwe-id: CWE-22
description: "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical."
requests:
- method: GET
@ -24,6 +24,7 @@ requests:
- type: status
status:
- 200
- type: word
words:
- "JK Status Manager"

View File

@ -13,7 +13,7 @@ info:
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default.
The printenv command is intended for debugging and is unlikely to be present in a production website.
tags: cve,cve2019,apache,xss
tags: cve,cve2019,apache,xss,tomcat
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -34,9 +34,9 @@ requests:
- "<script>alert('xss')</script>"
- type: word
part: header
words:
- "text/html"
part: header
- type: status
status:

View File

@ -11,14 +11,13 @@ info:
c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
Note that all of conditions a) to d) must be true for the attack to succeed.
tags: cve,cve2020,apache
reference:
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
reference: http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.00
cve-id: CVE-2020-9484
cwe-id: CWE-502
tags: cve,cve2020,apache,tomcat
requests:
- method: GET
@ -26,15 +25,17 @@ requests:
Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"
path:
- "{{BaseURL}}/index.jsp"
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "Exception"
- "ObjectInputStream"
- "PersistentManagerBase"
condition: and
part: body

View File

@ -4,7 +4,7 @@ info:
name: tomcat manager disclosure
author: Ahmed Sherif,geeknik
severity: info
tags: panel
tags: panel,tomcat
requests:
- method: GET
@ -16,7 +16,8 @@ requests:
matchers:
- type: word
words:
- Apache Tomcat
- "Apache Tomcat"
- type: status
status:
- 401

View File

@ -5,7 +5,7 @@ info:
author: organiccrap
severity: info
reference: https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
tags: panel
tags: panel,tomcat
requests:
- method: GET
@ -22,7 +22,7 @@ requests:
condition: and
- type: status
negative: true
status:
- 403
- 401
negative: true

View File

@ -6,7 +6,7 @@ info:
severity: low
description: The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
reference: https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
tags: apache,misconfig
tags: apache,misconfig,tomcat
requests:
- method: GET

View File

@ -4,7 +4,7 @@ info:
name: Detect Tomcat Exposed Scripts
author: Co0nan
severity: info
tags: apache
tags: apache,tomcat
requests:
- method: GET
@ -15,6 +15,7 @@ requests:
- "{{BaseURL}}/..;/examples/servlets/index.html"
- "{{BaseURL}}/..;/examples/jsp/index.html"
- "{{BaseURL}}/..;/examples/websocket/index.xhtml"
matchers:
- type: word
words:
@ -22,3 +23,4 @@ requests:
- "JSP Samples"
- "Servlets Examples"
- "WebSocket Examples"
condition: or

View File

@ -1,18 +0,0 @@
id: default-tomcat-page
info:
name: Tomcat Default Page
author: dhiyaneshDk
severity: info
tags: tech,tomcat
reference: https://www.shodan.io/search?query=http.title%3A%22Apache+Tomcat%22
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers:
- type: word
words:
- "<title>Apache Tomcat"
part: body

View File

@ -1,31 +1,36 @@
id: tomcat-detect
info:
name: Tomcat Version Detect
author: philippedelteil
name: Tomcat Detection
author: philippedelteil,dhiyaneshDk
description: If an Tomcat instance is deployed on the target URL, when we send a request for a non existent resource we receive a Tomcat error page with version.
severity: info
tags: tech,tomcat,apache
metadata:
shodan-query: title:"Apache Tomcat"
requests:
- method: GET
path:
- "{{BaseURL}}/something_not_existing_"
matchers-condition: and
- "{{BaseURL}}"
- "{{BaseURL}}/{{randstr}}"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(tolower(all_headers), "tomcat")'
- type: word
words:
- "Apache Tomcat"
- type: status
status:
- 404
- type: dsl
dsl:
- 'contains(tolower(body), "apache tomcat")'
- 'contains(tolower(body), "/manager/html")'
- 'contains(tolower(body), "/manager/status")'
condition: or
extractors:
- type: regex
part: body
name: version
group: 2
group: 1
regex:
- '(<h3>)(.*?)(</h3>)'
- '(?i)Apache Tomcat.*([0-9]\.[0-9]+\.[0-9]+)'

View File

@ -841,38 +841,6 @@ requests:
words:
- content="Struts2 Showcase for Apache Struts Project"
- type: word
name: apache-tomcat
words:
- <h3>Apache Tomcat/
- type: word
name: apache-tomcat
words:
- <title>Apache Tomcat/
- type: word
condition: and
name: apache-tomcat
words:
- /manager/html
- /manager/status
- type: word
name: apache-tomcat
words:
- href="tomcat.css
- type: word
name: apache-tomcat
words:
- this is the default tomcat home page
- type: word
name: apache-tomcat
words:
- <h3>apache tomcat
- type: word
name: apache-unomi
words:

View File

@ -2951,12 +2951,6 @@ requests:
- "Microsoft-HTTPAPI"
part: header
- type: word
name: tomcat
words:
- "Tomcat"
part: header
- type: word
name: darkhttpd
words: