Vulnerability introduction
This vulnerability is an arbitrary file writing vulnerability in the PUT method in the Apache Tomcat server, which allows an attacker to upload a Webshell and obtain server permissions.
This vulnerability was officially released and fixed by Apache on September 19, 2017CVE-2017-12615. In the conf/web.xml file, readonly defaults to true. When set to false, file operations can be performed through PUT/DELETE, but the upload of jsp suffix is restricted< a i=4>.
Some technical details about exploiting Tomcat vulnerabilities:
-
Use %20 to bypass: Replace the spaces in the file name with %20 to achieve the bypass effect.
-
Add/ after the jsp suffix: because/ Illegal in file names and automatically removed on Windows and Linux systems. For example, when uploading a file named 111.jsp, you can use 111.jsp/ as the file name to upload.
-
Using Windows NTFS stream: Add: $DATA after the jsp suffix to achieve the effect of writing the file to the Windows NTFS stream.