Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Basic Tomcat Info

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Kikundi cha Usalama cha Try Hard

LogoJoin the Try Hard Security Discord Server!Discord

Epuka kukimbia kwa mizizi

Ili kuepuka kukimbia Tomcat kwa mizizi, usanidi wa kawaida sana ni kuweka seva ya Apache kwenye bandari 80/443 na, ikiwa njia inayohitajika inalingana na regexp, ombi linatumwa kwa Tomcat ukiendesha kwenye bandari tofauti.

Muundo wa Kawaida

├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work
└── Catalina
└── localhost

  • Kabrasha bin inahifadhi hati na binaries zinazohitajika kuanza na kuendesha seva ya Tomcat.

  • Kabrasha conf inahifadhi faili mbalimbali za usanidi zinazotumiwa na Tomcat.

  • Faili ya tomcat-users.xml inahifadhi siri za mtumiaji na majukumu yao yaliyopewa.

  • Kabrasha lib inashikilia faili za JAR mbalimbali zinazohitajika kwa kufanya kazi kwa usahihi wa Tomcat.

  • Kabrasha logs na temp inahifadhi faili za logi za muda.

  • Kabrasha webapps ni mizizi ya wavuti ya msingi ya Tomcat na inahifadhi maombi yote. Kabrasha ya work inafanya kazi kama cache na hutumika kuhifadhi data wakati wa muda wa uendeshaji.

Kila kabrasha ndani ya webapps inatarajiwa kuwa na muundo ufuatao.

webapps/customapp
├── images
├── index.jsp
├── META-INF
│   └── context.xml
├── status.xsd
└── WEB-INF
├── jsp
|   └── admin.jsp
└── web.xml
└── lib
|    └── jdbc_drivers.jar
└── classes
└── AdminServlet.class

Faili muhimu zaidi kati ya haya ni WEB-INF/web.xml, ambalo hujulikana kama maelezo ya kupeleka. Faili hili hifadhi taarifa kuhusu njia zinazotumiwa na programu na darasa zinazoshughulikia njia hizo. Darasa zote zilizopangiliwa zinazotumiwa na programu zinapaswa kuhifadhiwa kwenye folda ya WEB-INF/classes. Darasa hizi zinaweza kuwa na mantiki muhimu ya biashara pamoja na taarifa nyeti. Upungufu wowote katika faili hizi unaweza kusababisha kuvamiwa kwa jumla kwa tovuti. Folda ya lib hifadhi maktaba zinazohitajika na programu hiyo maalum. Folda ya jsp hifadhi Kurasa za Seva za Jakarta (JSP), hapo awali inayojulikana kama JavaServer Pages, ambayo inaweza kulinganishwa na faili za PHP kwenye seva ya Apache.

Hapa kuna mfano wa faili ya web.xml.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<servlet-class>com.inlanefreight.api.AdminServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/admin</url-pattern>
</servlet-mapping>
</web-app>

Konfigurisheni ya web.xml hapo juu inadefini servlet mpya inayoitwa AdminServlet ambayo imepangwa kwa darasa com.inlanefreight.api.AdminServlet. Java hutumia maelezo ya nukta kutengeneza majina ya paketi, maana njia kwenye diski kwa darasa lililofafanuliwa hapo juu itakuwa:

  • classes/com/inlanefreight/api/AdminServlet.class

Kisha, kielekezi kipya cha servlet kinajengwa ili kupanga maombi kwa /admin na AdminServlet. Usanidi huu utapeleka ombi lolote lililopokelewa kwa /admin kwa darasa la AdminServlet.class kwa usindikaji. Mwambaa wa web.xml una taarifa nyingi nyeti na ni faili muhimu ya kuangalia unapotumia kasoro ya Ufichuaji wa Faili za Kienyeji (LFI).

tomcat-users

Faili ya tomcat-users.xml hutumiwa ku ruhusu au kukataza ufikiaji wa kurasa za usimamizi za /manager na host-manager.

<?xml version="1.0" encoding="UTF-8"?>

<SNIP>

<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application.  If you wish to use this app,
you must define such a user - the username and password are arbitrary.

Built-in Tomcat manager roles:
- manager-gui    - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx    - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only

The users below are wrapped in a comment and are therefore ignored. If you
wish to configure one or more of these users for use with the manager web
application, do not forget to remove the <!.. ..> that surrounds them. You
will also need to set the passwords to something appropriate.
-->


<SNIP>

!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />

<!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />


</tomcat-users>

Faili linaonyesha ni nini kila jukumu la manager-gui, manager-script, manager-jmx, na manager-status hutoa ufikiaji. Katika mfano huu, tunaweza kuona kwamba mtumiaji tomcat na nenosiri tomcat ana jukumu la manager-gui, na nenosiri dhaifu la pili admin limewekwa kwa akaunti ya mtumiaji admin

Marejeo

Kikundi cha Usalama cha Try Hard

LogoJoin the Try Hard Security Discord Server!Discord
Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
PreviousTomcatNextUncovering CloudFlare

Last updated