The output is being formatted to fit in that table.
We are able to execute commands directly on the system.
This immediately tells us a couple of things: The Webshellīrowsing to the test.jsp site reveals the following:Įntering in the recommended "ls -l /tmp" command outputs the following: If I don't need to be sneaky, I'll usually look for low hanging fruit first, and use tools like Nikto to enumerate the site. If you'd like to play along at home, or give it a shot yourself first, it can be downloaded here:Īfter the VM boots up, you should be presented with a nice login screen which helpfully (hopefully) presents the IP address picked up from DHCP.įirst thing to do is run a quick scan on that IP.īrowsing to that URL brings you to a generic Tomcat start page. Since I enjoy being a free man and only occasionally visit prisons, I've created a simple boot2root style VM that has a similar set of vulnerabilities to use in a walkthrough. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it. I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. ICMP, and all TCP/UDP ports including DNS were blocked outbound. If the output didn't match this parsing, no output to me. The page was expecting directory listing style output, which was then parsed and reformatted. While developer-provided webshells are always nice, there were a few caveats. There was a page, running in Java, that allowed me to type arbitrary commands into a form, and have it execute them. Recently I came across an interesting command injection vector on a web application sitting on a client's internet-facing estate. Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector.
0 kommentar(er)
