Solving CVE-2007-1860: mod_jk double-decoding

This exercise covers the exploitation of CVE-2007-1860. This vulnerability allows an attacker to gain access to inaccessible pages using crafted requests. This is a common trick that a lot of testers miss.

PTLAB

Free

Tier

PTLAB

Medium

PTLAB

1-2 Hrs.

PTLAB

5636

PTLAB

White Badge

Common Mistakes:

Make sure you replace the full netcat command with the score command followed by your UUID: /usr/local/bin/score ....
Tomcat 7 introduces an anti-bruteforce. If none of the default passwords work, try to wait 5 minutes
If you name your jsp something different than index.jsp. Make sure you add the filename to the URL. For example, shell.jsp in webshell.war: ../webshell/shell.jsp

Online access to this exercise is only available with PentesterLab PRO