Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to reproduce the Tomcat remote code execution vulnerability CVE-2017-12615. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

I. introduction of CVE-2017-12615

If the default servlet is configured, all versions of Tomcat prior to 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain potentially dangerous remote code execution (RCE) vulnerabilities on all operating systems, CVE-2017-12615: remote code execution vulnerabilities. Just set the parameter readonly to false or enable WebDAV servlet false using the parameter readonly setting. This configuration will allow any unauthenticated user to upload files (as used in WebDAV). As long as the JSP can be uploaded, it can be executed on the server. Under certain conditions, attackers can take advantage of these two vulnerabilities to obtain the source code of JSP files on the user server, or upload malicious JSP files to the user server through carefully constructed attack requests. Through the uploaded JSP files, arbitrary code can be executed on the user server, resulting in data disclosure or access to server privileges, resulting in high security risks.

Screenshot of modifying parameter values in tomcatxxx/conf/web.xml: 2. Vulnerability recurrence

This time, I use docker+vulhub to build a vulnerability environment. The steps to build vulhub on centos7 are as follows:

1. Install the docker dependency package yum install-y yum-utils device-mapper-persistent-data lvm2

2. Install dockeryum install docker

3. Start dockersystemctl start docker

4. Download vulhub https://github.com/vulhub/vulhub/archive/master.zip

5. Find CVE-2017-12615 and enter

6. Launch the vulnerability environment. The vulnerability environment for vulhub has been set up, and there is no need for us to manually modify the configuration file. Launch command: docker-compose up-d

7. View the startup status of the service

8. The test environment closes the firewall, systemctl stop firewalld.service/iptables.service9, and uses a browser to access the native ip:8080. The following interface indicates that the environment has been successfully built.

10. If you are not sure whether the vulnerability environment is built successfully, you can use a scanner to scan

11. Use burpsuite to grab packages

12. To modify the request, upload the Trojan (change the get to PUT, change the name, upload the boss's Trojan). The PUT path should be terminated with "/". If the write is successful, it will return 201or 200.If 404 is returned, the "/" is not written.

13. Verify whether the Trojan is successful. Access the upload path and assemble the command. The result is as follows, indicating the environment ip:8080/shell.jsp?&pwd=023&cmd=whoami for successful upload.

The above is how to reproduce the Tomcat remote code execution vulnerability CVE-2017-12615. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.