Broken Access Control

Default Credentials

#Gitlab
root :: 5iveL!fe
admin :: 5iveL!fe

CVE-2007-1860: mod_jk double-decoding

Even if the server does not use a vulnerable version of mod_jk or even if it does not use mod_jk at all make sure you try to access webapp/../manager/html and webapp/%252e%252e/manager/html.

This vulnerability allows an attacker to gain access to inaccessible pages using crafted requests.

The issue comes from the fact that both the web server (Apache using mod_jk) and the application server (Tomcat) will perform a decoding of the path provided by the client.

Our goal here is to provide a value that will be decoded twice and end up being ... This issue is similar to a directory traversal, it can be used to access file/path that are not available otherwise.

If you provide this %252e to a vulnerable modjk, it will perform a first decoding and send the value %2e to Tomcat. Tomcat will then perform a second decoding to get the value .. If you use %252e%252e, you will then be able to send .. to Tomcat. If you try to send .. directly to Apache, it will not forward the request to Tomcat unless the path resolve to a path configured to be forwarded to Tomcat (using `modjk`).

Depending on what path you use, you may need to use the double-encoding trick more than once.

Exploitation

  • Identify which pages are served to Tomcat and which are handled by Apache(if Apache is a proxy)

  • Use the ins the double-encoding trick:

    • %252e%252e/manager/html

    • /%252e%252e/%252e%252e/manager/html

  • contains the path /manager/html after the double-encoding to access the Tomcat administration interface.

  • Default Tomcat credentials: https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown

  • When uploading a WAR file, use the same encoding technique on the path:

    -/examples/%252e%252e/%252e%252e/manager/html/upload;jsessionid=7DE9D3BF4366D436B21EBB45A07244DF?org.apache.catalina.filters.CSRF_NONCE=11F510711818D7DA11660F57417A993C

  • Access the uploaded file at : url/examples/%252e%252e/uploadedfile/

IDOR [Insecure Direct Object Reference]

  • An IDOR vulnerability provides direct access to an object based on user input. This allows a malicious user to access resources belonging to other users.

  • Automate discovery using Burp plugin:Autorizer

  • User IDs may be encoded/encrypted.

  • Sometimes applications user UUIDs instead of UserIDs. These are longer undpredictable strings. Check if UUIDs of other users are leaked throughout the application. Eg: When visiting their profile/ profile picture. etc. You may need to check the source-code of the page.

PreviousSensitive Data ExposureNextBusiness Logic Testing

Last updated