mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-23 19:43:31 +00:00
162 lines
8.8 KiB
Markdown
162 lines
8.8 KiB
Markdown
# Basic Tomcat Info
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|
||
|
||
### Avoid to run with root
|
||
|
||
In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the requested path matches a regexp, the request is sent to Tomcat running on a different port.
|
||
|
||
### Default Structure
|
||
|
||
```
|
||
├── bin
|
||
├── conf
|
||
│ ├── catalina.policy
|
||
│ ├── catalina.properties
|
||
│ ├── context.xml
|
||
│ ├── tomcat-users.xml
|
||
│ ├── tomcat-users.xsd
|
||
│ └── web.xml
|
||
├── lib
|
||
├── logs
|
||
├── temp
|
||
├── webapps
|
||
│ ├── manager
|
||
│ │ ├── images
|
||
│ │ ├── META-INF
|
||
│ │ └── WEB-INF
|
||
| | └── web.xml
|
||
│ └── ROOT
|
||
│ └── WEB-INF
|
||
└── work
|
||
└── Catalina
|
||
└── localhost
|
||
```
|
||
|
||
* The `bin` folder stores scripts and binaries needed to start and run a Tomcat server.
|
||
* The `conf` folder stores various configuration files used by Tomcat.
|
||
* The `tomcat-users.xml` file stores user credentials and their assigned roles.
|
||
* The `lib` folder holds the various JAR files needed for the correct functioning of Tomcat.
|
||
* The `logs` and `temp` folders store temporary log files.
|
||
* The `webapps` folder is the default webroot of Tomcat and hosts all the applications. The `work` folder acts as a cache and is used to store data during runtime.
|
||
|
||
Each folder inside `webapps` is expected to have the following structure.
|
||
|
||
```
|
||
webapps/customapp
|
||
├── images
|
||
├── index.jsp
|
||
├── META-INF
|
||
│ └── context.xml
|
||
├── status.xsd
|
||
└── WEB-INF
|
||
├── jsp
|
||
| └── admin.jsp
|
||
└── web.xml
|
||
└── lib
|
||
| └── jdbc_drivers.jar
|
||
└── classes
|
||
└── AdminServlet.class
|
||
```
|
||
|
||
The most important file among these is `WEB-INF/web.xml`, which is known as the deployment descriptor. This file stores **information about the routes** used by the application and the classes handling these routes.\
|
||
All compiled classes used by the application should be stored in the `WEB-INF/classes` folder. These classes might contain important business logic as well as sensitive information. Any vulnerability in these files can lead to total compromise of the website. The `lib` folder stores the libraries needed by that particular application. The `jsp` folder stores [Jakarta Server Pages (JSP)](https://en.wikipedia.org/wiki/Jakarta\_Server\_Pages), formerly known as `JavaServer Pages`, which can be compared to PHP files on an Apache server.
|
||
|
||
Here’s an example **web.xml** file.
|
||
|
||
```xml
|
||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||
|
||
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
|
||
|
||
<web-app>
|
||
<servlet>
|
||
<servlet-name>AdminServlet</servlet-name>
|
||
<servlet-class>com.inlanefreight.api.AdminServlet</servlet-class>
|
||
</servlet>
|
||
|
||
<servlet-mapping>
|
||
<servlet-name>AdminServlet</servlet-name>
|
||
<url-pattern>/admin</url-pattern>
|
||
</servlet-mapping>
|
||
</web-app>
|
||
```
|
||
|
||
The `web.xml` configuration above defines a **new servlet named `AdminServlet`** that is mapped to the **class `com.inlanefreight.api.AdminServlet`**. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be:
|
||
|
||
* **`classes/com/inlanefreight/api/AdminServlet.class`**
|
||
|
||
Next, a new servlet mapping is created to **map requests to `/admin` with `AdminServlet`**. This configuration will send any request received for **`/admin` to the `AdminServlet.class`** class for processing. The **`web.xml`** descriptor holds a lot of **sensitive information** and is an important file to check when leveraging a **Local File Inclusion (LFI) vulnerability**.
|
||
|
||
### tomcat-users
|
||
|
||
The **`tomcat-users.xml`** file is used to **allow** or disallow access to the **`/manager` and `host-manager` admin pages**.
|
||
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
||
<SNIP>
|
||
|
||
<tomcat-users xmlns="http://tomcat.apache.org/xml"
|
||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
|
||
version="1.0">
|
||
<!--
|
||
By default, no user is included in the "manager-gui" role required
|
||
to operate the "/manager/html" web application. If you wish to use this app,
|
||
you must define such a user - the username and password are arbitrary.
|
||
|
||
Built-in Tomcat manager roles:
|
||
- manager-gui - allows access to the HTML GUI and the status pages
|
||
- manager-script - allows access to the HTTP API and the status pages
|
||
- manager-jmx - allows access to the JMX proxy and the status pages
|
||
- manager-status - allows access to the status pages only
|
||
|
||
The users below are wrapped in a comment and are therefore ignored. If you
|
||
wish to configure one or more of these users for use with the manager web
|
||
application, do not forget to remove the <!.. ..> that surrounds them. You
|
||
will also need to set the passwords to something appropriate.
|
||
-->
|
||
|
||
|
||
<SNIP>
|
||
|
||
!-- user manager can access only manager section -->
|
||
<role rolename="manager-gui" />
|
||
<user username="tomcat" password="tomcat" roles="manager-gui" />
|
||
|
||
<!-- user admin can access manager and admin section both -->
|
||
<role rolename="admin-gui" />
|
||
<user username="admin" password="admin" roles="manager-gui,admin-gui" />
|
||
|
||
|
||
</tomcat-users>
|
||
```
|
||
|
||
The file shows us what each of the roles `manager-gui`, `manager-script`, `manager-jmx`, and `manager-status` provide access to. In this example, we can see that a user `tomcat` with the password `tomcat` has the `manager-gui` role, and a second weak password `admin` is set for the user account `admin`
|
||
|
||
## References
|
||
|
||
* [https://academy.hackthebox.com/module/113/section/1090](https://academy.hackthebox.com/module/113/section/1090)
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|