Shulou(Shulou.com)05/31 Report--

This article mainly introduces the Tomcat background weak password upload war package vulnerability example analysis, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, let the editor take you to know about it.

First, let's take a look at the following concepts of Tomcat:

Tomcat is an open source lightweight Web application server that we use in our work. Usually used in small and medium-sized systems or small concurrency situations, it is often used in combination with JSP scripts to parse scripting language deployment, build websites and other systems.

Here we sort out several high-risk vulnerabilities of Tomcat into the following:

1. Upload war package with Tomcat backend weak password

2. Upload vulnerability of Tomcat's PUT (CVE-2017-12615)

3. Tomcat deserialization vulnerability (CVE-2016-8735)

4. Weak password for Tomcat JMX server

5. Session manipulation vulnerability of Tomcat sample directory

6. Tomcat local rights raising vulnerability (CVE-2016-1240)

7Tomcat win default null password vulnerability (CVE-2009-3548)

Explain the concept of the War package here: the warpackage is all the code used for Web development under a website project, including the foreground HTML/CSS/JS code and the background JavaWeb code. When the developer is finished, the source code will be packaged to the tester for testing, and if it is to be released after testing, it will also be packaged as a War package for release. The War package can be placed in the webapps or word directory under Tomcat, and when the Tomcat server starts, the War package will extract the source code for automatic deployment.

First, let's take a look at the first Tomcat background weak password to upload war package. Here, we use brute force cracking or weak password guessing to get the background login authentication account of tomcat, that is, when the login is successful, we use the tomcat management console WARfile to deploy.

The function of automatically deploying war will upload and deploy our Trojan horse. The experimental environment we have prepared for you here is as follows:

JDK1.8.0

ApacheTomcat7.0.88 (version 6 should have been used for blasting, but in order to summarize more about defense, I use version 7 here)

I won't go into details about the installation and configuration of jdk and tomcat here. You can do your own Baidu. After preparing the implementation environment shown in the following figure, let's start the reproduction operation.

Here we set up a 8090 local proxy port to prevent unnecessary impact from conflicts with tomcat's default local 8080 port.

We randomly enter the 12345 account password to carry out the explosion.

To get the account password is to use the authorization field of Authorization to transmit the account information in base64.

Get his encryption method, and then we will decrypt and analyze his data transmission method.

It can be concluded that when tomcat authorizes authentication, the account and password are combined with colons and then passed on by base64 encryption. Next, we construct a dictionary to carry out blasting.

Use burp to grab packets and send them to Intrude fuzzy test module for brute force cracking.

Above we get the tomcat data transfer format as username:password, which is to use the customiterator custom iteration type payload in the burp fuzzy test module, the official explanation is that this type of payload is divided into 8 placeholders, each placeholder can specify the payload type of the simple list. Then, according to the placeholder value, Cartesian product is carried out with each payload list area to generate a set group.

Get the final payload list. My understanding is to use Cartesian products in mathematics to piece together all kinds of possible lists of payload. The format is as follows:

Set the Position parameters by grouping according to the payload type, such as the Tomcat data we want to explode. The first Position parameter you need to set is the username parameter, and then add the payload dictionary. And so the second argument is the colon: the third is the password field. After the setting is completed, you need to encode the data field with base64 to explode. The setting method is shown in the following figure:

The above is subject to the explosion of tomcat basic certification, of course, we can also collect the matching number of three field dictionaries or base64 encrypted dictionaries and tomcat blasting in metasploit, which is more convenient for blasting. There are a variety of ways to use it according to your own needs.

Explode many times and find that the correct username and password dictionary has been a failed 401 status code. We can find a string of warning messages in the background jar script file of tomcat.

This is due to the setting of the locking mechanism for blasting after the tomcat6 version. Let's go change it first. For the convenience of demonstration.

Add a setting for the number of failureCount= "500" lockOutTime=" 0" timeout locks in conf/server.xml.

The locking mechanism for users with too many blasting times can be unlocked. After the blasting is successful, you can go to the Tomcat backend to deploy our war Trojan file to lift rights.

The Tomcat background weak password upload war package for getshell ends here.

Repair scheme:

1. Run the Tomcat application with low privileges on the system. Create a dedicated Tomcat service user who can only have a minimum set of permissions (for example, remote login is not allowed).

2. For local and certificate-based authentication, deploy the account locking mechanism (for centralized authentication, the directory service should also be configured accordingly). Set the locking mechanism and timeout limit in the CATALINA_HOME/conf/web.xml file.

3. And set minimum permission access restrictions for directory pages such as manager-gui/manager-status/manager-script.

Thank you for reading this article carefully. I hope the article "sample Analysis of war package vulnerabilities in Tomcat background weak password upload" shared by the editor will be helpful to everyone. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.