Re: Apache Tomcat penetration test

[email-fulldisclosure () hotmail com]

Sorry for late reply. One possible interpretention, which I believe is right...

It looks like web.AjaxService.goGet implements an method at line AjaxService.java line 80, which is vulnerable to Code 
Injection vulnerabilities ( subtype Dynamic Evaluation Vulnerabilities );

http://en.wikipedia.org/wiki/Code_injection
http://www.owasp.org/index.php/Direct_Dynamic_Code_Evaluation_('Eval_Injection')

It is uncommon with these vulnerabilities in java apps, but possible to do using java.lang.Class.getMethod and some 
ways.

Basically it seems like an broken Web 2.0 app - the browser defines which code the server should execute.

It is definately interesting to see what URI maniplulation of this script would yield; are you able to control: class 
name? method name? parameters? type of parameters?

It might be very limited (not exploitable) or you may have full control over the server, being able to do things such 
as start local shell commands etc.

I suspect you may experience problems changing "partners.service.PartnersService.getLink" into some more usefull class 
method, since parameter list of (javax.servlet.http.HttpServletRequest) is hard to find in any easily exploitable code 
deployed on the server. Basically insecure but hard to exploit in the real world. If you somehow can get away from this 
typing, you could start doing things like calling java.lang.System.exit() etc etc. Look for static methods in the java 
API, and see if you can manage to call them without hitting parameter type errors. It's a long shot!

Good luck!


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------