Tomcat

It usually runs on port 8080

Avoid to run with root

In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the path requested matches a regexp, the request is send to the Tomcat running in other port.

Username Enum

In some versions prior to Tomcat6 you could enumerate users:

msf> use auxiliary/scanner/http/tomcat_enum

Default credentials

The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic TTP auth, the most common credentials are:

  • admin:admin

  • tomcat:tomcat

  • admin:<NOTHING>

  • admin:s3cr3t

  • tomcat:s3cr3t

  • admin:tomcat

You could test these and more using:

Bruteforce

This could be needed.

Vulns

Double URL encode

A well-known vulnerability to access the application manager __ is mod_jk in CVE-2007-1860, that allows Double URL encode path traversal.

In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html

Take into account that to upload the webshell you could need to use the double urlencode trick and send also a cookie and/or a SSRF token. To access to backdoor you could also need to use the double urlencode trick.

/examples

The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from here).

  • /examples/jsp/num/numguess.jsp

  • /examples/jsp/dates/date.jsp

  • /examples/jsp/snp/snoop.jsp

  • /examples/jsp/error/error.html

  • /examples/jsp/sessions/carts.html

  • /examples/jsp/checkbox/check.html

  • /examples/jsp/colors/colors.html

  • /examples/jsp/cal/login.html

  • /examples/jsp/include/include.jsp

  • /examples/jsp/forward/forward.jsp

  • /examples/jsp/plugin/plugin.jsp

  • /examples/jsp/jsptoserv/jsptoservlet.jsp

  • /examples/jsp/simpletag/foo.jsp

  • /examples/jsp/mail/sendmail.jsp

  • /examples/servlet/HelloWorldExample

  • /examples/servlet/RequestInfoExample

  • /examples/servlet/RequestHeaderExample

  • /examples/servlet/RequestParamExample

  • /examples/servlet/CookieExample

  • /examples/servlet/JndiServlet

  • /examples/servlet/SessionExample

  • /tomcat-docs/appdev/sample/web/hello.jsp

RCE

Finally, if you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).

Limitations

You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script). Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml (it vary between versions) (see POST section).

Metasploit

MSFVenom Reverse Shell

Then, upload the revshell.war file and access to it (/revshell/)

Bind and reverse shell with tomcatWarDeployer.py

In some scenarios this doesn't work (for example old versions of sun)

Download

Reverse shell

Bind shell

Using Culsterd

Manual method - Web shell

Create index.jsp with this content:

You could also install this (allows upload, download and command execution): http://vonloesch.de/filebrowser.html

POST

Name of tomcat credentials file is tomcat-users.xml

Other ways to gather tomcat credentials:

PreviousSpEL - Spring Expression LanguageNextVMWare (ESX, VCenter...)

Last updated