Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze Tomcat's PUT upload vulnerability CVE-2017-12615, which is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Recently, there are more and more ApacheTomcat middleware in the project, so. Thinking about doing a clean-up. Summarize and reproduce several important high-risk vulnerabilities of ApacheTomcat middleware. Used to consolidate and update your knowledge base.

First, let's take a look at the following concepts of Tomcat:

Tomcat is an open source lightweight Web application server that we use in our work. Usually used in small and medium-sized systems or small concurrency situations, it is often used in combination with JSP and PHP scripts to parse scripting languages to deploy and build websites and other systems.

Here we sort out several high-risk vulnerabilities of Tomcat into the following:

1. Upload war package with Tomcat backend weak password

2. Upload vulnerability of Tomcat's PUT (CVE-2017-12615)

3. Tomcat deserialization vulnerability (CVE-2016-8735)

4. Weak password vulnerability of JMX service of Tomcat

5. Session manipulation vulnerability of Tomcat sample directory

6. Tomcat local rights raising vulnerability (CVE-2016-1240)

7. Default empty password vulnerability in Tomcat win version (CVE-2009-3548)

Then, after the weak password uploads the war package getsehll (the Tomcat backend weak password upload war package loophole is repeated), let's take a look at the second getshell of the upload vulnerability of the put method.

Vulnerability details:

It can be seen that the CVE-2017-12615 vulnerability of Tomcat was officially exposed in 17 years. This refers to a remote code execution vulnerability caused by the Put method with http enabled in the ApacheTomcat service component that can be exploited by attackers to arbitrarily upload jsp Trojans. The version affected by this vulnerability is from ApacheTomcat7.0.0-7.0.79

Environment required for vulnerabilities:

Tomcat7.0.79 (enable Put method)

JDK1.8.0

I saw a friend left a message saying that I could not find the reproduction environment package of tomcat. Write down my method here.

Search for "tomcat indexof" directly in the search engine to retrieve tomcat's official file image site and download it. Other similar struts and other resources are also searched in the same way. All in all, is to make good use of googlehack syntax.

After downloading the environment package and building it, we can start to recreate it.

It is emphasized here that the windows environment downloads the source code in the bin directory, while the Linux environment downloads it in the src source directory file. If you need to build and run multiple versions of tomcat at the same time, you need to change the three default ports in tomcat/conf/server.xml.

1. Line 22:

[code]

[/ code]

8005 is the port on which tomcat remotely stops service.

2. Lines 71-73:

[code]

[/ code]

8080 is the HTTP protocol port for Tomcat services, and 8443 is the HTTPS port

3. Line 93:

[code]

[/ code]

8009 is the AJP port for Tomcat services.

If you are running multiple versions of the tomcat service, you need to modify the three ports for each version. Modify 8005 and 8080amp 8443 and 8099 to other unoccupied ports. And different versions of Tomcat require different JDK to run.

After building it, we need to set it up to enable the Put method in the HTTP request. Set the readonly initialization parameter from the default value to false in the conf/web.xml file. The Put method can be opened successfully.

From the comments above, we can see that the upload (PUT) and delete (DELETE) methods in http requests are disabled by default. Here we add this line to him in the configuration file. Open his PUT method.

[CODE]

Readonly

False

[/ CODE]

After the configuration is completed, you can restart the tomcat service to subcontract and upload Trojans using the PUT method. Let's test it first:

Uploaded successfully. And then it goes without saying.

Of course, for convenience. In general, we use EXP directly for quick use. Post the EXP download address of Master Bearcat's CVE-2017-12615 here. Https://github.com/iBearcat/CVE-2017-12615

Repair scheme:

1. Configure the readonly and VirtualDirContext values to be True or comment parameters, disable the use of the PUT method and restart tomcat

Note: if you disable the PUT method, it may cause business failure for applications that rely on the PUT method.

2. Upgrade the latest version according to the official patch

The above content is how to analyze the upload vulnerability CVE-2017-12615 of Tomcat's PUT. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.