The Apache Tomcat JSP upload bypass vulnerability

There is a JSP upload bypass vulnerability that affects Tomcat 7.x, 8.x, and 9.x and TomEE 1.x and 7.x. The vulnerability involves using a PUT method to upload a JSP file by bypassing the filename filter. A Metasploit module is also available for this exploit. Let's use the module by executing the following command:

use exploit/multi/http/tomcat_jsp_upload_bypass

The following screenshot shows the output of the preceding command:

Setting up the RHOSTS value and executing the module using the run command is shown in the following screenshot:

As you can see in the following screenshot, this Metasploit module will first use the HTTP PUT method to upload a JSP file with / (forward slash) after the .jsp extension. If the Apache Tomcat instance responds back with an HTTP 201 (Created) code, this means that the file has been successfully uploaded to the server:

The reason why the file is uploaded is that there's a file upload restriction vulnerability on the Tomcat server (on specific versions only) that filters out the files if the file extension is JSP. Using this forward slash, we can bypass this restriction to upload a malicious JSP-based web shell. In this case, the payload file is sent to the target server using the PUT method, as can be seen in the following screenshot:

As mentioned previously, in the case of a successful upload, the server will give an HTTP 201 code:

Once the payload file has been uploaded, the Metasploit module requests the same filename for our payload execution:

After a successful payload execution, we'll get a generic shell:

It's not necessary for us to always get a root (privileged) shell after exploiting a JSP upload bypass. There will be more cases where we have to escalate our privileges from a normal user to root.