Shulou(Shulou.com)05/31 Report--

How to carry on the intrusion detection of Apache Tomcat remote command execution vulnerability exploitation? in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

1. Brief introduction of vulnerabilities

When Tomcat is running on the Windows operating system and the HTTP PUT request method is enabled (for example, setting the readonly initialization parameter from the default to false), it is possible for an attacker to upload an JSP file containing arbitrary code to the server through a specially crafted attack request packet, and the malicious code in the JSP file can be executed by the server. Causes data on the server to be compromised or to gain server permissions.

Scope of influence

Apache Tomcat 7.0.0-7.0.81

two。 Vulnerability analysis 2.1Environment introduction server Windows7 IP: 192.168.116.128

Attacking end Kali Linux IP:192.168.116.137

Apache Tomcat 7.0.79

2.2. Construction of experimental environment

2.2.1 installation in java environment

1. Download the jdk installation package http://www.oracle.com/technetwork/java/javase/downloads/index.html on the official website

two。 Follow the prompts to install jdk

3. Configure path, my computer-> Properties-> Advanced system Settings-> Environment variables-> ath add jdk and jre paths

4. After the configuration is successful, the figure is as follows:

2.2.2 Apache Tomcat installation 1. Download address:

Http://www.liangchan.net/soft/download.asp?softid=9366&downid=8&id=9430

two。 Follow the step prompts to install

3. After successful installation, visit http://127.0.0.1:8080

2.2.3 configure Apache Tomcat server 1. Open Tomcat7.0\ conf\ web.xml in the Tomcat installation directory to add the following configuration. In the Tomcat7.0 version, the default configuration is readonly, and you need to manually configure readonly to false before vulnerability exploitation can be carried out.

2.3 vulnerability exploitation

2.3.1 remote command execution vulnerability exploited

1. Upload the constructed shell using PUT method

Check that test.jsp already exists on the server

There are three ways to construct upload methods

PUT / test.jsp%20

PUT / test.jsp/

By constructing a special suffix to bypass Tomcat detection, upload the shell of jsp to the server.

two。 Use the uploaded shell to execute the command

The attack was successful.

2.3.2 main attack characteristics of vulnerabilities

1. Attack method PUT

two。 Main attack method .jsp: DATA .jsp% 20.jsp /

3. Intrusion detection rule writing

3.1 CVE-2017-12615 vulnerability intrusion Detection rules

Alert tcp any any-> any any (msg: "CVE-2017-12615"; flow:to_server,established;content: "UT"; nocase;content: ".jsp /"; nocase;reference:cve,2017-12615

Alert tcp any any-> any any (msg: "CVE-2017-12615"; flow:to_server,established;content: "UT"; nocase;content: ".jsp: DATA"; nocase;reference:cve,2017-12615

Alert tcp any any-> any any (msg: "CVE-2017-12615"; flow:to_server,established;content: "UT"; nocase;content: ".jsp% 20"; nocase;reference:cve,2017-12615

4. Verification of intrusion detection effect

4.1 CVE-2017-12615 vulnerability intrusion Detection Verification

Playback packet cve-2017-12615.tcap

This is the answer to the intrusion detection question on how to carry out Apache Tomcat remote command execution vulnerability exploitation. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.