Tomcat UTF-8 Directory Traversal Vulnerability
Description
This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the vulnerability actually occurs within Java and not Tomcat; the server must use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.
Author(s)
- aushack <patrick@osisecurity.com.au>
- guerrino <ruggine> di massa
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/http/tomcat_utf8_traversal
msf auxiliary(tomcat_utf8_traversal) > show actions
...actions...
msf auxiliary(tomcat_utf8_traversal) > set ACTION < action-name >
msf auxiliary(tomcat_utf8_traversal) > show options
...show and set options...
msf auxiliary(tomcat_utf8_traversal) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security