Try Hard Security Group

Join the Try Hard Security Discord Server!Discord

Epuka kukimbia na root

Ili kuepuka kukimbia Tomcat na root, usanidi wa kawaida ni kuweka seva ya Apache kwenye bandari 80/443 na, ikiwa njia iliyotakiwa inalingana na regexp, ombi linaelekezwa kwa Tomcat inayokimbia kwenye bandari tofauti.

Muundo wa Kawaida

├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work
└── Catalina
└── localhost

• Folda ya bin inahifadhi skripti na binaries zinazohitajika kuanzisha na kuendesha seva ya Tomcat.

• Folda ya conf inahifadhi faili mbalimbali za usanidi zinazotumiwa na Tomcat.

• Faili ya tomcat-users.xml inahifadhi akidi za watumiaji na majukumu yao yaliyotolewa.

• Folda ya lib ina faili mbalimbali za JAR zinazohitajika kwa utendaji sahihi wa Tomcat.

• Folda za logs na temp zinahifadhi faili za log za muda.

• Folda ya webapps ni webroot ya default ya Tomcat na inahifadhi programu zote. Folda ya work inafanya kazi kama cache na inatumika kuhifadhi data wakati wa wakati wa utekelezaji.

Kila folda ndani ya webapps inatarajiwa kuwa na muundo ufuatao.

webapps/customapp
├── images
├── index.jsp
├── META-INF
│   └── context.xml
├── status.xsd
└── WEB-INF
├── jsp
|   └── admin.jsp
└── web.xml
└── lib
|    └── jdbc_drivers.jar
└── classes
└── AdminServlet.class

Faili muhimu zaidi kati ya haya ni WEB-INF/web.xml, ambayo inajulikana kama mwelekeo wa usambazaji. Faili hii inahifadhi habari kuhusu njia zinazotumiwa na programu na madarasa yanayosimamia njia hizi. Madarasa yote yaliyokusanywa yanayotumiwa na programu yanapaswa kuhifadhiwa katika folda ya WEB-INF/classes. Madarasa haya yanaweza kuwa na mantiki muhimu ya biashara pamoja na habari nyeti. Uthibitisho wowote katika faili hizi unaweza kusababisha kuathiriwa kabisa kwa tovuti. Folda ya lib inahifadhi maktaba zinazohitajika na programu hiyo maalum. Folda ya jsp inahifadhi Jakarta Server Pages (JSP), ambayo hapo awali ilijulikana kama JavaServer Pages, ambayo inaweza kulinganishwa na faili za PHP kwenye seva ya Apache.

Hapa kuna mfano wa faili web.xml.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<servlet-class>com.inlanefreight.api.AdminServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/admin</url-pattern>
</servlet-mapping>
</web-app>

The web.xml configuration above defines a new servlet named AdminServlet that is mapped to the class com.inlanefreight.api.AdminServlet. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be:

• classes/com/inlanefreight/api/AdminServlet.class

Next, a new servlet mapping is created to map requests to /admin with AdminServlet. This configuration will send any request received for /admin to the AdminServlet.class class for processing. The web.xml descriptor holds a lot of habari nyeti and is an important file to check when leveraging a Local File Inclusion (LFI) vulnerability.

tomcat-users

The tomcat-users.xml file is used to kuruhusu or disallow access to the /manager and host-manager admin pages.

<?xml version="1.0" encoding="UTF-8"?>

<SNIP>

<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application.  If you wish to use this app,
you must define such a user - the username and password are arbitrary.

Built-in Tomcat manager roles:
- manager-gui    - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx    - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only

The users below are wrapped in a comment and are therefore ignored. If you
wish to configure one or more of these users for use with the manager web
application, do not forget to remove the <!.. ..> that surrounds them. You
will also need to set the passwords to something appropriate.
-->


<SNIP>

!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />

<!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />


</tomcat-users>

The file shows us what each of the roles manager-gui, manager-script, manager-jmx, and manager-status provide access to. In this example, we can see that a user tomcat with the password tomcat has the manager-gui role, and a second weak password admin is set for the user account admin

References

• https://academy.hackthebox.com/module/113/section/1090

Try Hard Security Group

Join the Try Hard Security Discord Server!Discord