Basic Tomcat Info

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Epuka kukimbia na root

Ili kuepuka kukimbia Tomcat na root, usanidi wa kawaida ni kuweka seva ya Apache kwenye bandari 80/443 na, ikiwa njia iliyotakiwa inalingana na regexp, ombi linaelekezwa kwa Tomcat inayokimbia kwenye bandari tofauti.

Muundo wa Kawaida

├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work
└── Catalina
└── localhost

Folda ya bin inahifadhi skripti na binaries zinazohitajika kuanzisha na kuendesha seva ya Tomcat.
Folda ya conf inahifadhi faili mbalimbali za usanidi zinazotumiwa na Tomcat.
Faili ya tomcat-users.xml inahifadhi akidi za watumiaji na majukumu yao yaliyotolewa.
Folda ya lib ina faili mbalimbali za JAR zinazohitajika kwa utendaji sahihi wa Tomcat.
Folda za logs na temp zinahifadhi faili za log za muda.
Folda ya webapps ni webroot ya default ya Tomcat na inahifadhi programu zote. Folda ya work inafanya kazi kama cache na inatumika kuhifadhi data wakati wa wakati wa utekelezaji.

Kila folda ndani ya webapps inatarajiwa kuwa na muundo ufuatao.

webapps/customapp
├── images
├── index.jsp
├── META-INF
│   └── context.xml
├── status.xsd
└── WEB-INF
├── jsp
|   └── admin.jsp
└── web.xml
└── lib
|    └── jdbc_drivers.jar
└── classes
└── AdminServlet.class

The most important file among these is WEB-INF/web.xml, which is known as the deployment descriptor. This file stores habari kuhusu njia used by the application and the classes handling these routes. All compiled classes used by the application should be stored in the WEB-INF/classes folder. These classes might contain important business logic as well as sensitive information. Any vulnerability in these files can lead to total compromise of the website. The lib folder stores the libraries needed by that particular application. The jsp folder stores Jakarta Server Pages (JSP), formerly known as JavaServer Pages, which can be compared to PHP files on an Apache server.

Here’s an example web.xml file.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<servlet-class>com.inlanefreight.api.AdminServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/admin</url-pattern>
</servlet-mapping>
</web-app>

The web.xml configuration above defines a new servlet named AdminServlet that is mapped to the class com.inlanefreight.api.AdminServlet. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be:

classes/com/inlanefreight/api/AdminServlet.class

Next, a new servlet mapping is created to map requests to /admin with AdminServlet. This configuration will send any request received for /admin to the AdminServlet.class class for processing. The web.xml descriptor holds a lot of habari nyeti and is an important file to check when leveraging a Local File Inclusion (LFI) vulnerability.

tomcat-users

The tomcat-users.xml file is used to kuruhusu or disallow access to the /manager and host-manager admin pages.

<?xml version="1.0" encoding="UTF-8"?>

<SNIP>

<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application.  If you wish to use this app,
you must define such a user - the username and password are arbitrary.

Built-in Tomcat manager roles:
- manager-gui    - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx    - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only

The users below are wrapped in a comment and are therefore ignored. If you
wish to configure one or more of these users for use with the manager web
application, do not forget to remove the <!.. ..> that surrounds them. You
will also need to set the passwords to something appropriate.
-->


<SNIP>

!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />

<!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />


</tomcat-users>

Faili linaonyesha ni nini kila moja ya majukumu manager-gui, manager-script, manager-jmx, na manager-status inatoa ufikiaji. Katika mfano huu, tunaona kwamba mtumiaji tomcat mwenye nenosiri tomcat ana jukumu la manager-gui, na nenosiri dhaifu la pili admin limetengwa kwa akaunti ya mtumiaji admin.

Marejeleo

https://academy.hackthebox.com/module/113/section/1090

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousTomcat NextUncovering CloudFlare

Last updated 2 months ago

├── bin ├── conf │ ├── catalina.policy │ ├── catalina.properties │ ├── context.xml │ ├── tomcat-users.xml │ ├── tomcat-users.xsd │ └── web.xml ├── lib ├── logs ├── temp ├── webapps │ ├── manager │ │ ├── images │ │ ├── META-INF │ │ └── WEB-INF | | └── web.xml │ └── ROOT │ └── WEB-INF └── work └── Catalina └── localhost

webapps/customapp ├── images ├── index.jsp ├── META-INF │ └── context.xml ├── status.xsd └── WEB-INF ├── jsp | └── admin.jsp └── web.xml └── lib | └── jdbc_drivers.jar └── classes └── AdminServlet.class

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <servlet> <servlet-name>AdminServlet</servlet-name> <servlet-class>com.inlanefreight.api.AdminServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>AdminServlet</servlet-name> <url-pattern>/admin</url-pattern> </servlet-mapping> </web-app>

<?xml version="1.0" encoding="UTF-8"?> <SNIP> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0">  <SNIP> !-- user manager can access only manager section --> <role rolename="manager-gui" /> <user username="tomcat" password="tomcat" roles="manager-gui" />  <role rolename="admin-gui" /> <user username="admin" password="admin" roles="manager-gui,admin-gui" /> </tomcat-users>