## https://sploitus.com/exploit?id=A15C02AB-D113-52F2-B687-FC577053BAAC
# Tomcat Ghostcat (CVE-2020-1938 / CNVD-2020-10487) Vulnerability Detection Tool
## Introduction
This project provides a Python script for detecting local file inclusion vulnerabilities in Apache Tomcat’s AJP protocol, commonly known as Ghostcat (CVE-2020-1938 / CNVD-2020-10487). This script has been completely refactored and fixed based on the original Python 2 version. It is fully compatible with Python 3 environments. It addresses compatibility issues with `StringIO`, `base64` encoding, and the concatenation of binary data with strings, enhancing stability on modern operating systems.
## Vulnerability Mechanism
When Apache Tomcat processes the AJP protocol, port 8009 is enabled by default, and no strict security checks are performed on incoming requests. Attackers can construct malicious AJP requests that inject attributes like `javax.servlet.include.request_uri`, `javax.servlet.include.path_info`, and `javax.servlet.include.servlet_path`. This allows them to:
1. **Local File Inclusion (LFI)**: Exploiting Tomcat’s `DefaultServlet` to read arbitrary files from the Web application directory (e.g., `WEB-INF/web.xml`, configuration files, etc.).
2. **Remote Code Execution (RCE)**: If the target server has file upload vulnerabilities, attackers can upload ordinary files containing malicious JSP code (e.g., txt, png files), then exploit this AJP vulnerability to force the `JspServlet` to compile these files as JSPs, thereby executing remote commands. *Note: This vulnerability only supports local file inclusion (LFI); direct remote file inclusion (RFI) is not supported.*
## Environment Requirements
- Python 3.6+
- Only use the Python standard library; no additional third-party dependencies required.
## Usage
Command-line syntax:
```bash
python CNVD-2020-10487-Tomcat-Ajp-lfi.py [--port] [--file]
```
### Parameter Descriptions:
- `target` (Required): IP address or domain name of the target host.
- `--port` (Optional): AJP port; default is `8009`.
- `--file` (Optional): Relative path to the target file to be read; default is `WEB-INF/web.xml`.
### Example Usage:
1. **Basic Detection** (Reading the default `web.xml`):
```bash
python CNVD-2020-10487-Tomcat-Ajp-lfi.py 127.0.0.1
```
2. **Specifying Port and File** (Reading a custom configuration file):
```bash
python CNVD-2020-10487-Tomcat-Ajp-lfi.py 192.168.1.100 -p 8009 -f WEB-INF/classes/application.properties
```
## Fixes and Defenses
If your system is affected by this vulnerability, it is recommended to take the following protective measures immediately:
1. **Upgrade Tomcat**: Update to the officially released secure version (9.0.31, 8.5.51, 7.0.100 or higher).
2. **Disable AJP Service**: If your business environment does not require AJP-based reverse proxy cluster communication, it is recommended to comment or remove the corresponding configuration in `conf/server.xml`.
3. **Enhance AJP Authentication**: If the AJP service must be enabled, add the `requiredSecret` attribute to the AJP Connector (for versions 8.5.51/9.0.31 and later, set it to `secret`) to enforce authentication.
## Disclaimer
This script is intended only for **network security research, education, and internal compliance audits**. Do not use this script to conduct unauthorized reconnaissance or attacks on targets. Users must comply with local laws and regulations when using this script. Any consequences arising from improper or illegal use are the responsibility of the user.