CVE-2020-1938 Exploitation Attempt

Aug 21, 2020 ·

Detecting the attempt of AJP Request Injection

Sigma rule (View on GitHub)

 1title: CVE-2020-1938 Exploitation Attempt
 2id: 9380a9b6-f58a-4c12-84a2-e6fd6d6f8c9c
 3status: experimental
 4description: Detecting the attempt of AJP Request Injection
 5references:
 6    - https://www.exploit-db.com/exploits/48143
 7author: Loginsoft Research Unit 
 8date: 2020/07/13
 9logsource:
10    product: Tomcat
11    category: webserver
12detection:
13    keywords:
14        - 'The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid'
15    condition: keywords
16falsepositives:
17  - Unknown
18level: critical```

References

OffSec’s Exploit Database Archive

Apache Tomcat - AJP 'Ghostcat File Read/Inclusion. CVE-2020-1938 . webapps exploit for Multiple platform

Read More

CVE-2020-1938 Exploitation Attempt

Sigma rule (View on GitHub)

References

OffSec’s Exploit Database Archive