Apache Tomcat Template improvements (#3446)
* Improved Tomcat matchers / extractors / paths * removed duplicate detections / matchers * removed duplicate template * Added missing tomcat tagspatch-1
parent
d6da741663
commit
de9c4d605c
|
@ -4,7 +4,7 @@ info:
|
|||
name: Apache Tomcat RCE
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
tags: cve,cve2017,apache,rce
|
||||
tags: cve,cve2017,apache,rce,tomcat
|
||||
reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
|
||||
description: |
|
||||
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
|
||||
|
@ -49,7 +49,7 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -4,14 +4,14 @@ info:
|
|||
name: Apache Tomcat JK Status Manager Access
|
||||
author: harshbothra_
|
||||
severity: high
|
||||
description: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
|
||||
reference: https://github.com/immunIT/CVE-2018-11759
|
||||
tags: cve,cve2018,apache
|
||||
tags: cve,cve2018,apache,tomcat
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2018-11759
|
||||
cwe-id: CWE-22
|
||||
description: "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical."
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -24,6 +24,7 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "JK Status Manager"
|
||||
|
|
|
@ -13,7 +13,7 @@ info:
|
|||
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
|
||||
therefore, vulnerable to XSS. SSI is disabled by default.
|
||||
The printenv command is intended for debugging and is unlikely to be present in a production website.
|
||||
tags: cve,cve2019,apache,xss
|
||||
tags: cve,cve2019,apache,xss,tomcat
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
|
@ -34,9 +34,9 @@ requests:
|
|||
- "<script>alert('xss')</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -11,14 +11,13 @@ info:
|
|||
c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
|
||||
d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
|
||||
Note that all of conditions a) to d) must be true for the attack to succeed.
|
||||
tags: cve,cve2020,apache
|
||||
reference:
|
||||
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
|
||||
reference: http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.00
|
||||
cve-id: CVE-2020-9484
|
||||
cwe-id: CWE-502
|
||||
tags: cve,cve2020,apache,tomcat
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -26,15 +25,17 @@ requests:
|
|||
Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"
|
||||
path:
|
||||
- "{{BaseURL}}/index.jsp"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Exception"
|
||||
- "ObjectInputStream"
|
||||
- "PersistentManagerBase"
|
||||
condition: and
|
||||
part: body
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: tomcat manager disclosure
|
||||
author: Ahmed Sherif,geeknik
|
||||
severity: info
|
||||
tags: panel
|
||||
tags: panel,tomcat
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -16,7 +16,8 @@ requests:
|
|||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- Apache Tomcat
|
||||
- "Apache Tomcat"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 401
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: organiccrap
|
||||
severity: info
|
||||
reference: https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
|
||||
tags: panel
|
||||
tags: panel,tomcat
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -22,7 +22,7 @@ requests:
|
|||
condition: and
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 403
|
||||
- 401
|
||||
negative: true
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: low
|
||||
description: The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
|
||||
reference: https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
|
||||
tags: apache,misconfig
|
||||
tags: apache,misconfig,tomcat
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Detect Tomcat Exposed Scripts
|
||||
author: Co0nan
|
||||
severity: info
|
||||
tags: apache
|
||||
tags: apache,tomcat
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -15,6 +15,7 @@ requests:
|
|||
- "{{BaseURL}}/..;/examples/servlets/index.html"
|
||||
- "{{BaseURL}}/..;/examples/jsp/index.html"
|
||||
- "{{BaseURL}}/..;/examples/websocket/index.xhtml"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
|
@ -22,3 +23,4 @@ requests:
|
|||
- "JSP Samples"
|
||||
- "Servlets Examples"
|
||||
- "WebSocket Examples"
|
||||
condition: or
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
id: default-tomcat-page
|
||||
|
||||
info:
|
||||
name: Tomcat Default Page
|
||||
author: dhiyaneshDk
|
||||
severity: info
|
||||
tags: tech,tomcat
|
||||
reference: https://www.shodan.io/search?query=http.title%3A%22Apache+Tomcat%22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<title>Apache Tomcat"
|
||||
part: body
|
|
@ -1,31 +1,36 @@
|
|||
id: tomcat-detect
|
||||
|
||||
info:
|
||||
name: Tomcat Version Detect
|
||||
author: philippedelteil
|
||||
name: Tomcat Detection
|
||||
author: philippedelteil,dhiyaneshDk
|
||||
description: If an Tomcat instance is deployed on the target URL, when we send a request for a non existent resource we receive a Tomcat error page with version.
|
||||
severity: info
|
||||
tags: tech,tomcat,apache
|
||||
metadata:
|
||||
shodan-query: title:"Apache Tomcat"
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/something_not_existing_"
|
||||
matchers-condition: and
|
||||
- "{{BaseURL}}"
|
||||
- "{{BaseURL}}/{{randstr}}"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(tolower(all_headers), "tomcat")'
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Apache Tomcat"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 404
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(tolower(body), "apache tomcat")'
|
||||
- 'contains(tolower(body), "/manager/html")'
|
||||
- 'contains(tolower(body), "/manager/status")'
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: version
|
||||
group: 2
|
||||
group: 1
|
||||
regex:
|
||||
- '(<h3>)(.*?)(</h3>)'
|
||||
- '(?i)Apache Tomcat.*([0-9]\.[0-9]+\.[0-9]+)'
|
|
@ -841,38 +841,6 @@ requests:
|
|||
words:
|
||||
- content="Struts2 Showcase for Apache Struts Project"
|
||||
|
||||
- type: word
|
||||
name: apache-tomcat
|
||||
words:
|
||||
- <h3>Apache Tomcat/
|
||||
|
||||
- type: word
|
||||
name: apache-tomcat
|
||||
words:
|
||||
- <title>Apache Tomcat/
|
||||
|
||||
- type: word
|
||||
condition: and
|
||||
name: apache-tomcat
|
||||
words:
|
||||
- /manager/html
|
||||
- /manager/status
|
||||
|
||||
- type: word
|
||||
name: apache-tomcat
|
||||
words:
|
||||
- href="tomcat.css
|
||||
|
||||
- type: word
|
||||
name: apache-tomcat
|
||||
words:
|
||||
- this is the default tomcat home page
|
||||
|
||||
- type: word
|
||||
name: apache-tomcat
|
||||
words:
|
||||
- <h3>apache tomcat
|
||||
|
||||
- type: word
|
||||
name: apache-unomi
|
||||
words:
|
||||
|
|
|
@ -2951,12 +2951,6 @@ requests:
|
|||
- "Microsoft-HTTPAPI"
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
name: tomcat
|
||||
words:
|
||||
- "Tomcat"
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
name: darkhttpd
|
||||
words:
|
||||
|
|
Loading…
Reference in New Issue