TOMCAT 8005端口结合SSRF利用
发布于 2 年前 阅读权限 无需登录 作者 0c0c0f 3517 次浏览 来自 知识碎片

Tomcat 8005端口是用来关闭Tomcat的,server.xml配置如下 <Server port=“8005” shutdown=“SHUTDOWN”>

想远程telnet shutdown 结果发现socket是监听在了本地。

 /**
     * The port number on which we wait for shutdown commands.
     */
    private int port = 8005;

    /**
     * The address on which we wait for shutdown commands.
     */
    private String address = "localhost";
	
 // Set up a server socket to wait on
        try {
            awaitSocket = new ServerSocket(port, 1,
                    InetAddress.getByName(address));
        } catch (IOException e) {
            log.error("StandardServer.await: create[" + address
                               + ":" + port
                               + "]: ", e);
            return;
        }
	

想发送大数据包dos它 结果限制了1024个字符长度。

// Read a set of characters from the socket
                    int expected = 1024; // Cut off to avoid DoS attack
                    while (expected < shutdown.length()) {
                        if (random == null)
                            random = new Random();
                        expected += (random.nextInt() % 1024);
                    }
                    while (expected > 0) {
                        int ch = -1;
                        try {
                            ch = stream.read();
                        } catch (IOException e) {
                            log.warn("StandardServer.await: read: ", e);
                            ch = -1;
                        }
                        // Control character or EOF (-1) terminates loop
                        if (ch < 32 || ch == 127) {
                            break;
                        }
                        command.append((char) ch);
                        expected--;
                    }

目前只能是利用java ssrf漏洞进行关机(前提能改协议头)

image.png

http://blog.csdn.net/shootyou/article/details/6005685 http://www.jianshu.com/p/1d77a9ceedce?utm_campaign=haruki&utm_content=note&utm_medium=reader_share&utm_source=qq https://joychou.org/web/javassrf.html

7 回复

就只支持一個shutdown命令麽?

等级保护要求 修改shutdown参数的值

@jmadmin 就一个

/** * The shutdown command string we are looking for. */ private String shutdown = “SHUTDOWN”;

// Match against our command string boolean match = command.toString().equals(shutdown); if (match) { log.info(sm.getString(“standardServer.shutdownViaPort”)); break; } else log.warn(“StandardServer.await: Invalid command '” + command.toString() + “’ received”);

server.xml这样配置的话 可以远程SHUTDOWN <Server port=“8005” address="192.168.31.102 " shutdown=“SHUTDOWN”>

<Server port="-1" address 禁用这个没啥用的功能

就只能关机啊

回到顶部