Ahmed Qaramany

Ahmed Qaramany

Security Researcher Working with Passion , Secured SONY,AT&T,Telekom and others

How I got my first CVE-2022-34305 in Apache Tomcat All versions

2 minute read

Hello People I am Ahmed Qaramany. This is my first writeup and year of learning web security too. I am looking forward to more achievements in the future and this writeup related to CVE-2022-34305, which I have discovered in all versions of Apache Tomcat products.

Also , I would like to add that this finding was during my bug hunting time. I was working on a target that had a big program at Hackerone. So we can call the company “Target, Inc.” because I don’t have permission to mention that program since the bug has not been disclosed.

video Proof of Concept : Youtube POC Video

Nuclei Templete to identify default credentials : Nuclei Templete

Recon : I believe that we can get some good results from the recon process and I’m a big fan of doing recon, so I started collecting some juicy domains from Shodan, using this query :

ssl:"Target ,inc"

shodan1

But there is a huge number of IPs with different ports, so let’s add some filters to our query using http.title You can see all the titles by clicking more and adding the filter you want.

shodan2

I was just curious about one of the results which is Apache Tomcat was recently released one day ago on this page you can check the date of each IP from here :

shodan3

So it’s very juicy to put your hands on, so our target now is Apache Tomcat.

shodan4

I came across an IP using the Apache Tomcat default page, and remembered that I read some writeups talks about Tomcat, but nothing works for me in this case , Also spent some time checking every example in this examples directory. Looking for bugs like SSRF , SQL injection , Authentication Bypass ,XSS , etc ..

fourtnatlly Found nothing !

I tried to open the examples directory which is not recommmended to let this  Directories and files public after installing this Product so I came accross a function that you can login to it 

https://domain.com/examples/jsp/security/protected/index.jsp

I tried login using default Creds by searching at google Found :

tomcat : tomcat 
role1 : role1
both : both

Thanks Google , It worked and Bug reported and awarded 750$ , I Have posted about it in my Linkedin as a Tip for The Community  you can find me there @C0NQR0R

inputpoc

There is three inputs that you can write and the input will be reflected. On the page source code , two of them are vulnerable to XSS.

"><img src=d onerror=confirm("POC|@C0NQR0R")>

This a Nuclei Templete you can use it to identify the Default Credentials if you are workin on wild scope then you can Try Real Exploit

We have the alert popup. Now you just need to target the admin and send the vulnerable link to him. We can steal his cookies and also you can login again since you are not authenticated but you know the vulnerable input so you can exploit it easy. We can do A lot more stuff with this Reflected Cross Site Scripting. 

So I reported this issue to the Apache Tomcat team and they were so helpful, handled it in a very good way, fast reply and registered this issue as CVE-2022-34305

Updated:

You may also enjoy

أساسيات الاندرويد

1 minute read

### ازاي بيتم تنظيم التطبيقات في الاندرويد؟ خلينا نبدأ بمعلومة أساسية: الأندرويد في الأصل معمول على نواة اللينكس (Linux Kernel)، واللينكس عبارة نظام تشغ...