Apache Tomcat
Theory
Apache Tomcat (called "Tomcat" for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can also run.
Practice
Enumeration
We can attempt to trigger an error on the website as a method of fingerprinting. If the error is similar as the one below, this indicates that the website is running Tomcat.
$ curl http://target.com/DoesNotExist
To find the version of Apache Tomcat, a simple command can be executed:
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.
Identifying the exact locations of /manager and /host-manager directories is crucial as their names might be altered. A brute-force search is recommended to locate these pages.
Below are common directories for Apache Tomcat.
It's possible to enumerate usernames through metasploit:
It only works for Tomcat versions older than 6
Credentials
The /manager/html directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:
To attempt a brute force attack on the manager directory, we may use one of the following commands:
Common Vulnerabilities
In some vulnerable configurations of Tomcat you can gain access to protected directories in Tomcat using the path: /..;/
So, for example, you might be able to access the Tomcat manager page by accessing: www.vulnerable.com/lalala/..;/manager/html
Another way to bypass protected paths using this trick is to access http://www.vulnerable.com/;param=value/manager/html
Accessing /auth.jsp may reveal the password in a backtrace under fortunate circumstances.
The CVE-2007-1860 vulnerability in mod_jk allows for double URL encoding path traversal, enabling unauthorized access to the management interface via a specially crafted URL.
In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html
Apache Tomcat versions 4.x to 7.x include example scripts that are susceptible to information disclosure and cross-site scripting (XSS) attacks. These scripts, listed comprehensively, should be checked for unauthorized access and potential exploitation. Find more info here
/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp
Remote Code Execution (RCE)
If you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).
You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script).
First create a war file using Msfvenom.
Then upload this file.
Start a listener in local machine.
Now access to https://example.com/shell. We should get a shell.
Post-Exploitation
If we are in the target system, we can retrieve information about credentials.
Resources
Last updated
Was this helpful?