update

Author: gsbp

content/post/[Tomcat]CVE-2025-24813复现.md …nt/post/[Tomcat]CVE-2025-24813复现及原理分析.mdcontent/post/[Tomcat]CVE-2025-24813复现.md renamed to content/post/[Tomcat]CVE-2025-24813复现及原理分析.md content/post/[Tomcat]CVE-2025-24813复现.md renamed to content/post/[Tomcat]CVE-2025-24813复现及原理分析.md

@@ -1,15 +1,15 @@
 +++
 date = '2025-03-12T18:00:00+08:00'
 draft = false
-title = '[Tomcat]CVE-2025-24813复现'
+title = [Tomcat]CVE-2025-24813复现及原理分析'
 author='GSBP'
 categories=["Java安全","CVE"]
 
 +++
 
 ## 前言
 
-出了个通告说Tomcat有个新的cve，于是来尝试复现
+出了个通告说Tomcat有个新的cve，于是来尝试复现分析一下
 
 ## 通报
 

public/categories/cve/index.html

@@ -0,0 +1,177 @@
+
+<!DOCTYPE html>
+<html lang="en-us">
+<head><script src="/livereload.js?mindelay=10&amp;v=2&amp;port=1313&amp;path=livereload" data-no-instant defer></script>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+    <title>CVE | GSBP&#39;s Blog</title>
+    <meta name="description"
+        content="A CTFER &amp;&amp; JavaSecurity Researcher">
+    <link rel="canonical" href="http://localhost:1313/categories/cve/" />
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.4/css/bulma.min.css">
+    
+    <link rel="stylesheet" href="http://localhost:1313/scss/style.min.badf012c7f163854e3d9c3287a1df0863ae1974f62e123bbf1f2948b58ed39cf.css">
+
+    <meta property="og:url" content="http://localhost:1313/categories/cve/">
+  <meta property="og:site_name" content="GSBP&#39;s Blog">
+  <meta property="og:title" content="CVE">
+  <meta property="og:description" content="A CTFER &amp;&amp; JavaSecurity Researcher">
+  <meta property="og:locale" content="en_us">
+  <meta property="og:type" content="website">
+
+    
+  <meta name="twitter:card" content="summary">
+  <meta name="twitter:title" content="CVE">
+  <meta name="twitter:description" content="A CTFER &amp;&amp; JavaSecurity Researcher">
+
+    
+
+</head>
+<body><nav class="navbar is-light" role="navigation">
+    <div class="container">
+        <div class="navbar-brand">
+            <a href="/" title="home" class="navbar-item">
+                <span class="logo">
+                    <h1>GSBP&#39;s Blog</h1>
+                </span>
+            </a>
+
+            
+            <a id="theme-toggle" class="theme-toggle" href="#">
+                <img src="http://localhost:1313/svg/sun.svg" alt="sun icon" class="theme-icon" />
+            </a>
+
+            <a role="button" class="navbar-burger" aria-label="menu" aria-expanded="false">
+                <span aria-hidden="true"></span>
+                <span aria-hidden="true"></span>
+                <span aria-hidden="true"></span>
+            </a>
+        </div>
+
+        <div class="navbar-menu">
+            <div class="navbar-start">
+                
+                <a href="/about" class="navbar-item">About</a>
+                
+                <a href="/post" class="navbar-item">Blog</a>
+                
+                <a href="/categories" class="navbar-item">Categories</a>
+                
+                <a href="/friend" class="navbar-item">Friends</a>
+                
+            </div>
+
+        </div>
+        <div class="search">
+            <div id="fastSearch">
+                <input id="searchInput" tabindex="0" placeholder="Search..">
+                <ul id="searchResults">
+
+                </ul>
+            </div>
+            <a id="search-btn" style="display: inline-block;" href="# ">
+                <div class="icon-search"><svg class="search-svg" xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line></svg></div>
+            </a>
+        </div>
+
+        <script src="/js/fuse.min.js"></script> 
+        <script src="/js/fastsearch.js"></script>
+
+    </div>
+</nav>
+
+<script>
+    
+    document.addEventListener('DOMContentLoaded', function() {
+        var burger = document.querySelector('.navbar-burger');
+        burger.addEventListener('click', function() {
+            burger.classList.toggle('is-active');
+            document.querySelector('.navbar-menu').classList.toggle('is-active');
+        });
+    });
+
+    
+    function setTheme(theme) {
+        let body = document.body;
+        let themeIcon = document.querySelector(".theme-icon");
+        if (theme === "dark") {
+            body.classList.add("dark-mode");
+            themeIcon.src = "http:\/\/localhost:1313\/svg/moon.svg";
+            themeIcon.alt = "moon icon";
+        } else {
+            body.classList.remove("dark-mode");
+            themeIcon.src = "http:\/\/localhost:1313\/svg/sun.svg";
+            themeIcon.alt = "sun icon";
+        }
+        
+        localStorage.setItem("theme", theme);
+    }
+
+    
+    let theme = localStorage.getItem("theme") || "light";
+    const isDarkMode = window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches;
+    if (isDarkMode) {
+        
+        setTheme('dark');
+
+    } else {
+        
+        setTheme('light');
+    }
+    setTheme(theme);
+
+    
+    document.getElementById("theme-toggle").addEventListener("click", function() {
+        if (theme === "light") {
+            theme = "dark";
+        } else {
+            theme = "light";
+        }
+        setTheme(theme);
+    });
+
+
+
+</script>
+
+</header><main>
+<div class="container">
+    <div class="section">
+        <h2 class="archive-title">Category: CVE</h2>
+</div>
+</div>
+<div class="each-category column is-centered">
+
+
+    
+
+        <article class="archive-item">
+            <a href="http://localhost:1313/post/tomcatcve-2025-24813%E5%A4%8D%E7%8E%B0/" class="archive-item-link hover-underline-animation">[Tomcat]CVE-2025-24813复现</a>
+            <span class="archive-item-date">
+                March 12, 2025
+            </span>
+
+        </article>
+
+    
+
+</div>
+
+        </main><footer class="footer">
+    <div class="content has-text-centered">
+    <span>&copy; 2025 <a href="http://localhost:1313/">GSBP&#39;s Blog</a></span>
+    
+    <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.min.js"></script>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/fancyapps/[email protected]/dist/jquery.fancybox.min.css" />
+    <script src="https://cdn.jsdelivr.net/gh/fancyapps/[email protected]/dist/jquery.fancybox.min.js"></script>
+    
+    <span>
+        Powered by
+        <a href="https://gohugo.io/" target="_blank">Hugo</a> &
+        <a href="https://github.com/hotjuicew/hugo-JuiceBar" target="_blank">JuiceBar</a>
+    </span>
+    </div>
+  </footer>
+</body>
+</html>
+

public/categories/cve/index.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>CVE on GSBP&#39;s Blog</title>
+    <link>http://localhost:1313/categories/cve/</link>
+    <description>Recent content in CVE on GSBP&#39;s Blog</description>
+    <generator>Hugo</generator>
+    <language>en-us</language>
+    <lastBuildDate>Wed, 12 Mar 2025 18:00:00 +0800</lastBuildDate>
+    <atom:link href="http://localhost:1313/categories/cve/index.xml" rel="self" type="application/rss+xml" />
+    <item>
+      <title>[Tomcat]CVE-2025-24813复现</title>
+      <link>http://localhost:1313/post/tomcatcve-2025-24813%E5%A4%8D%E7%8E%B0/</link>
+      <pubDate>Wed, 12 Mar 2025 18:00:00 +0800</pubDate>
+      <guid>http://localhost:1313/post/tomcatcve-2025-24813%E5%A4%8D%E7%8E%B0/</guid>
+      <description>&lt;h2 id=&#34;前言&#34;&gt;前言&lt;/h2&gt;&#xA;&lt;p&gt;出了个通告说Tomcat有个新的cve，于是来尝试复现&lt;/p&gt;&#xA;&lt;h2 id=&#34;通报&#34;&gt;通报&lt;/h2&gt;&#xA;&lt;p&gt;关于漏洞的通报细节如下&lt;/p&gt;&#xA;&lt;p&gt;&#xA;&lt;div class=&#34;post-img-view&#34;&gt;&#xA;&lt;a data-fancybox=&#34;gallery&#34; href=&#34;https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250312143659450.png&#34;&gt;&#xA;&lt;img src=&#34;https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250312143659450.png&#34; alt=&#34;image-20250312143659450&#34;  /&gt;&#xA;&lt;/a&gt;&#xA;&lt;/div&gt;&#xA;&#xA;&lt;/p&gt;&#xA;&lt;p&gt;一看又是DefaultServlet的put方法上出的洞，这里漏洞利用有两种形式，一个是信息泄漏和篡改，还有一个是反序列化RCE，而且要求的前置项有点多，这里简单列出来&lt;/p&gt;&#xA;&lt;h3 id=&#34;信息泄漏篡改&#34;&gt;信息泄漏/篡改&lt;/h3&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;&#xA;&lt;p&gt;ReadOnly为false&lt;/p&gt;&#xA;&lt;/li&gt;&#xA;&lt;li&gt;&#xA;&lt;p&gt;支持partial PUT方法&lt;/p&gt;&#xA;&lt;/li&gt;&#xA;&lt;li&gt;&#xA;&lt;p&gt;攻击者知道敏感文件的名称&lt;/p&gt;&#xA;&lt;/li&gt;&#xA;&lt;li&gt;&#xA;&lt;p&gt;安全敏感文件的上传目标 URL 是公开上传目标 URL 的子目录（？这个看不懂，也不知道啥意思）&lt;/p&gt;&#xA;&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;h3 id=&#34;反序列化rce&#34;&gt;反序列化RCE&lt;/h3&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;ReadOnly为false&lt;/li&gt;&#xA;&lt;li&gt;支持partial PUT方法&lt;/li&gt;&#xA;&lt;li&gt;服务开启以文件为存储形式的持久化链接，并且采用默认位置&lt;/li&gt;&#xA;&lt;li&gt;有能够引起反序列化漏洞的依赖&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;h2 id=&#34;环境搭建&#34;&gt;环境搭建&lt;/h2&gt;&#xA;&lt;p&gt;我参考的这篇文章搭建的环境&lt;/p&gt;&#xA;&lt;p&gt;&lt;a href=&#34;https://juejin.cn/post/7331544684290228250&#34;&gt;https://juejin.cn/post/7331544684290228250&lt;/a&gt;&lt;/p&gt;&#xA;&lt;p&gt;接下来修改readonly&lt;/p&gt;&#xA;&lt;p&gt;&lt;code&gt;tomcat目录/conf/web.xml&lt;/code&gt;&lt;/p&gt;&#xA;&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;    &amp;lt;servlet&amp;gt;&#xD;&#xA;        &amp;lt;servlet-name&amp;gt;default&amp;lt;/servlet-name&amp;gt;&#xD;&#xA;        &amp;lt;servlet-class&amp;gt;org.apache.catalina.servlets.DefaultServlet&amp;lt;/servlet-class&amp;gt;&#xD;&#xA;        &amp;lt;init-param&amp;gt;&#xD;&#xA;            &amp;lt;param-name&amp;gt;debug&amp;lt;/param-name&amp;gt;&#xD;&#xA;            &amp;lt;param-value&amp;gt;0&amp;lt;/param-value&amp;gt;&#xD;&#xA;        &amp;lt;/init-param&amp;gt;&#xD;&#xA;        &amp;lt;init-param&amp;gt;&#xD;&#xA;            &amp;lt;param-name&amp;gt;listings&amp;lt;/param-name&amp;gt;&#xD;&#xA;            &amp;lt;param-value&amp;gt;false&amp;lt;/param-value&amp;gt;&#xD;&#xA;        &amp;lt;/init-param&amp;gt;&#xD;&#xA;      &amp;lt;init-param&amp;gt;&#xD;&#xA;        &amp;lt;param-name&amp;gt;readonly&amp;lt;/param-name&amp;gt;&#xD;&#xA;        &amp;lt;param-value&amp;gt;false&amp;lt;/param-value&amp;gt;&#xD;&#xA;      &amp;lt;/init-param&amp;gt;&#xD;&#xA;        &amp;lt;load-on-startup&amp;gt;1&amp;lt;/load-on-startup&amp;gt;&#xD;&#xA;    &amp;lt;/servlet&amp;gt;&#xA;&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;开启持久化链接文件模式&lt;/p&gt;&#xA;&lt;p&gt;&lt;code&gt;tomcat目录/conf/context.xml&lt;/code&gt;&lt;/p&gt;&#xA;&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;&amp;lt;?xml version=&amp;#34;1.0&amp;#34; encoding=&amp;#34;UTF-8&amp;#34;?&amp;gt;&#xD;&#xA;&amp;lt;!--&#xD;&#xA;  Licensed to the Apache Software Foundation (ASF) under one or more&#xD;&#xA;  contributor license agreements.  See the NOTICE file distributed with&#xD;&#xA;  this work for additional information regarding copyright ownership.&#xD;&#xA;  The ASF licenses this file to You under the Apache License, Version 2.0&#xD;&#xA;  (the &amp;#34;License&amp;#34;); you may not use this file except in compliance with&#xD;&#xA;  the License.  You may obtain a copy of the License at&#xD;&#xA;&#xD;&#xA;      http://www.apache.org/licenses/LICENSE-2.0&#xD;&#xA;&#xD;&#xA;  Unless required by applicable law or agreed to in writing, software&#xD;&#xA;  distributed under the License is distributed on an &amp;#34;AS IS&amp;#34; BASIS,&#xD;&#xA;  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.&#xD;&#xA;  See the License for the specific language governing permissions and&#xD;&#xA;  limitations under the License.&#xD;&#xA;--&amp;gt;&#xD;&#xA;&amp;lt;!-- The contents of this file will be loaded for each web application --&amp;gt;&#xD;&#xA;&amp;lt;Context&amp;gt;&#xD;&#xA;&#xD;&#xA;    &amp;lt;!-- Default set of monitored resources. If one of these changes, the    --&amp;gt;&#xD;&#xA;    &amp;lt;!-- web application will be reloaded.                                   --&amp;gt;&#xD;&#xA;    &amp;lt;WatchedResource&amp;gt;WEB-INF/web.xml&amp;lt;/WatchedResource&amp;gt;&#xD;&#xA;    &amp;lt;WatchedResource&amp;gt;WEB-INF/tomcat-web.xml&amp;lt;/WatchedResource&amp;gt;&#xD;&#xA;    &amp;lt;WatchedResource&amp;gt;${catalina.base}/conf/web.xml&amp;lt;/WatchedResource&amp;gt;&#xD;&#xA;&#xD;&#xA;    &amp;lt;!-- Uncomment this to disable session persistence across Tomcat restarts --&amp;gt;&#xD;&#xA;    &amp;lt;!--&#xD;&#xA;    &amp;lt;Manager pathname=&amp;#34;&amp;#34; /&amp;gt;&#xD;&#xA;    --&amp;gt;&#xD;&#xA;  &amp;lt;Manager className=&amp;#34;org.apache.catalina.session.PersistentManager&amp;#34;&#xD;&#xA;           debug=&amp;#34;0&amp;#34;&#xD;&#xA;           saveOnRestart=&amp;#34;false&amp;#34;&#xD;&#xA;           maxActiveSession=&amp;#34;-1&amp;#34;&#xD;&#xA;           minIdleSwap=&amp;#34;-1&amp;#34;&#xD;&#xA;           maxIdleSwap=&amp;#34;-1&amp;#34;&#xD;&#xA;           maxIdleBackup=&amp;#34;-1&amp;#34;&amp;gt;&#xD;&#xA;    &amp;lt;Store className=&amp;#34;org.apache.catalina.session.FileStore&amp;#34; directory=&amp;#34;&amp;#34;/&amp;gt;&#xD;&#xA;  &amp;lt;/Manager&amp;gt;&#xD;&#xA;&amp;lt;/Context&amp;gt;&#xA;&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;往pom.xml下塞入CC依赖&lt;/p&gt;</description>
+    </item>
+  </channel>
+</rss>

public/categories/cve/page/1/index.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en-us">
+  <head>
+    <title>http://localhost:1313/categories/cve/</title>
+    <link rel="canonical" href="http://localhost:1313/categories/cve/">
+    <meta name="robots" content="noindex">
+    <meta charset="utf-8">
+    <meta http-equiv="refresh" content="0; url=http://localhost:1313/categories/cve/">
+  </head>
+</html>

public/categories/index.html

@@ -147,6 +147,22 @@ <h1>Categories</h1>
 <section class="card-container" >
 
 
+        <div class="card">
+            
+                    <a href="http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/">
+                    </a>
+                <div class="card-content has-text-centered">
+                    <div>
+                        <a class="title is-5 is-size-6-mobile" href="http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/">Java安全</a>
+                        
+                        <strong>
+                        <sup style="font-size:16px;">3</sup>
+                        </strong>
+                    </div>
+                </div>
+           
+        </div>
+        
         <div class="card">
 
                     <a href="http://localhost:1313/categories/wp/">
@@ -165,14 +181,14 @@ <h1>Categories</h1>
 
         <div class="card">
 
-                    <a href="http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/">
+                    <a href="http://localhost:1313/categories/cve/">
                     </a>
                 <div class="card-content has-text-centered">
                     <div>
-                        <a class="title is-5 is-size-6-mobile" href="http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/">Java安全</a>
+                        <a class="title is-5 is-size-6-mobile" href="http://localhost:1313/categories/cve/">CVE</a>
 
                         <strong>
-                        <sup style="font-size:16px;">2</sup>
+                        <sup style="font-size:16px;">1</sup>
                         </strong>
                     </div>
                 </div>

public/categories/index.xml

@@ -6,21 +6,28 @@
     <description>Recent content in Categories on GSBP&#39;s Blog</description>
     <generator>Hugo</generator>
     <language>en-us</language>
-    <lastBuildDate>Tue, 11 Feb 2025 23:00:00 +0800</lastBuildDate>
+    <lastBuildDate>Wed, 12 Mar 2025 18:00:00 +0800</lastBuildDate>
     <atom:link href="http://localhost:1313/categories/index.xml" rel="self" type="application/rss+xml" />
     <item>
-      <title>WP</title>
-      <link>http://localhost:1313/categories/wp/</link>
-      <pubDate>Tue, 11 Feb 2025 23:00:00 +0800</pubDate>
-      <guid>http://localhost:1313/categories/wp/</guid>
+      <title>CVE</title>
+      <link>http://localhost:1313/categories/cve/</link>
+      <pubDate>Wed, 12 Mar 2025 18:00:00 +0800</pubDate>
+      <guid>http://localhost:1313/categories/cve/</guid>
       <description></description>
     </item>
     <item>
       <title>Java安全</title>
       <link>http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/</link>
-      <pubDate>Thu, 23 Jan 2025 23:33:31 +0800</pubDate>
+      <pubDate>Wed, 12 Mar 2025 18:00:00 +0800</pubDate>
       <guid>http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/</guid>
       <description></description>
     </item>
+    <item>
+      <title>WP</title>
+      <link>http://localhost:1313/categories/wp/</link>
+      <pubDate>Tue, 11 Feb 2025 23:00:00 +0800</pubDate>
+      <guid>http://localhost:1313/categories/wp/</guid>
+      <description></description>
+    </item>
   </channel>
 </rss>

public/categories/java安全/index.html

@@ -145,6 +145,16 @@ <h2 class="archive-title">Category: Java安全</h2>
 
 
 
+        <article class="archive-item">
+            <a href="http://localhost:1313/post/tomcatcve-2025-24813%E5%A4%8D%E7%8E%B0/" class="archive-item-link hover-underline-animation">[Tomcat]CVE-2025-24813复现</a>
+            <span class="archive-item-date">
+                March 12, 2025
+            </span>
+
+        </article>
+
+    
+
         <article class="archive-item">
             <a href="http://localhost:1313/post/springaop/" class="archive-item-link hover-underline-animation">SpringAOP链学习</a>
             <span class="archive-item-date">