CVE-2017-12617: Tomcat JSP Upload RCE
On this page
- Apache Tomcat 8.5.19 – CVE-2017-12617 Exploitation
- 1) Nmap Scan Report
- 2) Port 8080 – Apache Tomcat 8.5.19
- 3) Directory Scan
- 4) Vulnerability Identification – CVE-2017-12617
- 5) Metasploit Framework
- 6) Manual Exploitation – JSP Reverse Shell
- 7) Shell Access
- 8) Configuration Confirmation
- 9) Verification with a Bash Script
Apache Tomcat 8.5.19 – CVE-2017-12617 Exploitation
1) Nmap Scan Report
2) Port 8080 – Apache Tomcat 8.5.19
Visiting the Apache Tomcat service running on port 8080.
3) Directory Scan
Running a directory scan to discover potential subdirectories.
4) Vulnerability Identification – CVE-2017-12617
We see that Apache Tomcat 8.5.19 is affected by CVE-2017-12617, which is exploitable when the readonly parameter is set to false.
5) Metasploit Framework
A ready-made exploit module for this vulnerability is available within Metasploit.
6) Manual Exploitation – JSP Reverse Shell
I preferred to exploit this vulnerability manually by uploading a .jsp reverse shell file via the PUT method.
7) Shell Access
After sending the request, we set up a listener and visit http://172.20.2.57:8080/shell.jsp — successfully obtaining shell access.
8) Configuration Confirmation
We confirm that the readonly parameter — the root cause of the vulnerability — is set to false with the following command:
grep -Ri -A1 '<param-name>readonly</param-name>' /usr/local/tomcat | grep -i '<param-value>false</param-value>' -B19) Verification with a Bash Script
We verify our findings using a small bash script that scans the entire tomcat directory and surfaces the relevant parameters.
