-
-
[原创][POC编写]Apache Tomcat样例目录session操纵漏洞
-
发表于: 2021-1-11 16:28
-
Apache Tomcat默认安装包含examples目录,里面存着众多的样例,其中session样例(目标/examples/servlets/servlet/SessionExample)允许用户对session进行操纵,因为session是全局通用的,所以用户可以通过操纵session获取管理员权限。
注意:此漏洞常用于安服项目漏洞提交,实战很少应用
地址:/examples/servlets/servlet/SessionExample
标题:Apache Tomcat信息:Value of Session Attribute:信息:Name of Session Attribute:地址:/examples/servlets/servlet/SessionExample
标题:Apache Tomcat信息:Value of Session Attribute:信息:Name of Session Attribute:goby安装目录\golib\exploits\user\English_name.jsongoby安装目录\golib\exploits\user\English_name.json{ "type": "item",
"variable": "$body",
"operation": "contains",
"value": "Value of Session Attribute:",
"bz": ""
}{ "type": "item",
"variable": "$body",
"operation": "contains",
"value": "Value of Session Attribute:",
"bz": ""
}|
1
2
3
4
|
地址:/examples/servlets/servlet/SessionExample
标题:Apache Tomcat信息:Value of Session Attribute:信息:Name of Session Attribute: |
1 |
goby安装目录\golib\exploits\user\English_name.json |
|
1
2
3
4
5
6
7
|
{ "type": "item",
"variable": "$body",
"operation": "contains",
"value": "Value of Session Attribute:",
"bz": ""
} |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2021-1-13 00:03
被梦幻的彼岸编辑
,原因:
|
|
|---|---|
