# CNVD-2020-10487 CVE-2020-1938
alert tcp any any -> any 8009 (msg:"CNVD-2020-10487 Ghostcat"; content:"javax|2e|servlet|2e|include|2e|request_uri"; content:"javax|2e|servlet|2e|include|2e|path_info"; content:"javax|2e|servlet|2e|include|2e|servlet_path"; reference:url,www.anquanke.com/post/id/199351; classtype:tomcat; sid:202002211; rev:1;)
module EXPLOIT;
event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string)
{
if ( (c$id$resp_p == 8009/tcp) && /javax\.servlet\.include\.request_uri/ in payload && /javax\.servlet\.include\.path_info/ in payload && /javax\.servlet\.include\.servlet_path/ in payload)
{
local rec: EXPLOIT::Info = [$ts=c$start_time,
$src_ip=c$id$orig_h,
$src_port=c$id$orig_p,
$dst_ip=c$id$resp_h,
$dst_port=c$id$resp_p,
$vul_payload=payload,
$vul_describe="CVE-2020-1938 Ghostcat",
$vul_refer="https://www.anquanke.com/post/id/199351",
$vul_level="high"];
Log::write(EXPLOIT::LOG, rec);
}
}