Apache Tomcat Arbitrary File Upload Vulnerability
漏洞信息
漏洞名称: Apache Tomcat Arbitrary File Upload Vulnerability
漏洞编号:
- CVE: CVE-2025-24813
漏洞类型: 文件上传
漏洞等级: 高危
漏洞描述: Apache Tomcat是一个广泛使用的开源Web服务器和Servlet容器,它支持Java Servlet和JavaServer Pages (JSP)技术,常用于企业级Web应用的部署。由于其广泛的应用,Tomcat的安全性对许多组织至关重要。该漏洞(CVE-2025-24813)涉及通过HTTP PUT方法实现的任意文件上传,攻击者可以利用此漏洞在服务器上上传恶意文件,可能导致服务器被完全控制。漏洞的技术根源在于Tomcat对HTTP PUT方法的处理不当,未能充分验证和限制用户上传的文件。这种漏洞的存在使得攻击者无需认证即可上传任意文件,进而可能执行远程代码、泄露敏感信息或破坏服务。由于漏洞的利用可以自动化进行,且不需要用户交互,因此对受影响系统的威胁等级较高。
产品厂商: Apache
产品名称: Apache Tomcat
来源: https://github.com/x00byte/PutScanner
类型: CVE-2025:github search
仓库文件
- LICENSE
- README.md
- assets
- putscanner.py
- test_server.py
来源概述
🔍 PUT Directory Scanner
A penetration testing tool that identifies writable web directories via HTTP PUT method, specifically designed to detect CVE-2025-24813 (Arbitrary File Upload in Apache Tomcat).
📌 Features
- Smart Protocol Handling: Auto-detects HTTPS/HTTP with fallback
- Comprehensive Checks: Tests all common Tomcat directories
- Two-Stage Verification: PUT + GET validation to eliminate false positives
- Pentester-Friendly Output: Color-coded results with manual verification commands
- CVE-Focused: Optimized for detecting assets with pre-requisites for CVE-2025-24813
🚀 Installation
1 | |
🛠️ Usage
Basic Scan
1 | |
Advanced Options
| Flag | Description |
|---|---|
-v |
Verbose mode |
--ignore-ssl |
Bypass SSL certificate verification |
-f targets.txt |
Scan multiple targets from file |
🖥️ Demonstration
🧪 Test Environment Setup
- Start the included test server:
1 | |
- Run the scanner against it:
1 | |
Live Test Results
Below is a demonstration of putscanner in use and the different scenarios it can test for.
### 📜 Legal Disclaimer
**WARNING**: This tool is intended for **authorized penetration testing only**.
Unauthorized use against systems without explicit permission is illegal.
### 📄 License
MIT License - See [LICENSE](LICENSE) for full text.