Vulnerabilities principle
When Tomcat configuration file, web.xml, servlet configured readonly = fasle, will lead to arbitrary file upload vulnerability.
readonly parameter defaults to true , which does not allow delete and put operations, so by the XMLHttpRequest put the object or delete access method will report http 403 error. But very often in order to support REST services, this property is set to false.
Reproduction environment
In docker ubuntu 16.04 with vulhub virtual machine range offers easy to reproduce
jdk version 1.7
Tomcat version 8.5.19
Reproduction process
1. Go to vulhub directory: tomcat / CVE-2017-12615
2. Start docker container, tomcat normal access page:
Look into the container readonly configuration of web.xml:
3. capture, try to upload jsp Trojans, did not succeed, can not directly pass jsp file
4. The following bypass, uploaded again (other types of files can be uploaded, the file transfer jsp jsp is convenient in the code execution):
The view into the interior of the container docker upload files:
6. Access to the file, execute successfully:
Defense Experiment
The readonly parameter to false, the request sent in a PUT:
