Tomcat Vulnerability--execution via put remote code

Original link: http://www.dubby.cn/detail.html?id=9034

This article is only for technology sharing, any use of technology in the conduct of the article is irrelevant.

This is one of the vulnerabilities that Tomcat released on 2017.9.19 Day:

According to the message description, we have the Windows version of Tomcat 7.0.79, after the installation is successful, we need to allow Tomcat to put operations, that is, modify/conf/web.xml:

<servlet>
        <servlet-name>default</servlet-name>
        <servlet-class> org.apache.catalina.servlets.defaultservlet</servlet-class>
        <init-param>
            <param-name >debug</param-name>
            <param-value>0</param-value>
        </init-param>
        < init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value >
        </init-param>
        <init-param>
            <param-name>readonly</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</ Load-on-startup>
</servlet>

The new additions include:

<init-param>
            <param-name>readonly</param-name>
            <param-value>false</ Param-value>
</init-param>

Then start Tomcat and use postman to send a put request:

And then in the browser normal access to http://localhost:8080/helloworld.jsp:

Note: localhost:8080/helloworld.jsp/can also be replaced with LOCALHOST:8080/HELLOWORLD.JSP%20, because under Windows,%20 (spaces) and/are illegal file naming, will be removed.

Finally go to Tomcat's directory Webapps\root to see:

This is just a bug added to the file, OK, this is Tomcat put loopholes, the solution, the simplest is the upgrade.