Basic Tomcat Info
Try Hard Security Group
Epuka kukimbia na root
Ili kuepuka kukimbia Tomcat na root, usanidi wa kawaida ni kuweka seva ya Apache kwenye bandari 80/443 na, ikiwa njia iliyotakiwa inalingana na regexp, ombi linaelekezwa kwa Tomcat inayokimbia kwenye bandari tofauti.
Muundo wa Kawaida
Folda ya
bin
inahifadhi skripti na binaries zinazohitajika kuanzisha na kuendesha seva ya Tomcat.Folda ya
conf
inahifadhi faili mbalimbali za usanidi zinazotumiwa na Tomcat.Faili ya
tomcat-users.xml
inahifadhi akidi za watumiaji na majukumu yao yaliyotolewa.Folda ya
lib
ina faili mbalimbali za JAR zinazohitajika kwa utendaji sahihi wa Tomcat.Folda za
logs
natemp
zinahifadhi faili za log za muda.Folda ya
webapps
ni webroot ya default ya Tomcat na inahifadhi programu zote. Folda yawork
inafanya kazi kama cache na inatumika kuhifadhi data wakati wa wakati wa utekelezaji.
Kila folda ndani ya webapps
inatarajiwa kuwa na muundo ufuatao.
Faili muhimu zaidi kati ya haya ni WEB-INF/web.xml
, ambayo inajulikana kama mwelekeo wa usambazaji. Faili hii inahifadhi habari kuhusu njia zinazotumiwa na programu na madarasa yanayosimamia njia hizi.
Madarasa yote yaliyokusanywa yanayotumiwa na programu yanapaswa kuhifadhiwa katika folda ya WEB-INF/classes
. Madarasa haya yanaweza kuwa na mantiki muhimu ya biashara pamoja na habari nyeti. Uthibitisho wowote katika faili hizi unaweza kusababisha kuathiriwa kabisa kwa tovuti. Folda ya lib
inahifadhi maktaba zinazohitajika na programu hiyo maalum. Folda ya jsp
inahifadhi Jakarta Server Pages (JSP), ambayo hapo awali ilijulikana kama JavaServer Pages
, ambayo inaweza kulinganishwa na faili za PHP kwenye seva ya Apache.
Hapa kuna mfano wa faili web.xml.
The web.xml
configuration above defines a new servlet named AdminServlet
that is mapped to the class com.inlanefreight.api.AdminServlet
. Java uses the dot notation to create package names, meaning the path on disk for the class defined above would be:
classes/com/inlanefreight/api/AdminServlet.class
Next, a new servlet mapping is created to map requests to /admin
with AdminServlet
. This configuration will send any request received for /admin
to the AdminServlet.class
class for processing. The web.xml
descriptor holds a lot of habari nyeti and is an important file to check when leveraging a Local File Inclusion (LFI) vulnerability.
tomcat-users
The tomcat-users.xml
file is used to kuruhusu or disallow access to the /manager
and host-manager
admin pages.
The file shows us what each of the roles manager-gui
, manager-script
, manager-jmx
, and manager-status
provide access to. In this example, we can see that a user tomcat
with the password tomcat
has the manager-gui
role, and a second weak password admin
is set for the user account admin
References
Try Hard Security Group
Last updated