Tomcat
Tomcat is a web service commonly open in port 8080/tcp.
Introduction
Apache Tomcat is a free and open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies. Tomcat provides a "pure Java" HTTP web server environment in which Java code can run.
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass
Exists a exploit to execute remote command by uploading a .war file without prior authentication.
Installation Directory
Depending the version installed or if its installed manually or using apt, it would be located in different places.
Configuration Files
There are serveral important files to look into and take info about the server.
server.xml
The server.xml file is Tomcat's main configuration file, and is responsible for specifying Tomcat's initial configuration on startup as well as defining the way and order in which Tomcat boots and builds. The elements of the server.xml file belong to five basic categories - Top Level Elements, Connectors, Containers, Nested Components, and Global Settings.
web.xml
The web.xml file is derived from the Servlet specification, and contains information used to deploy and configure the components of your web applications.
tomcat-users.xml
This last file contains the credentials and privileges of the tomcat users.
Default credentials
SecLists have a list of default credentials in Tomcat:
From Admin to Reverse Shell
If you have access to the Tomcat Web Application Manager, you are able to upload and deploy a malicious .war file.
Finding the endpoint
First is important to find the endpoint.
Creating a shell (.WAR)
There are serveral ways to create the war.
MSFVenom Reverse Shell
Manual Web Shell
Create a index.jsp with the following content:
And run the following commands:
Uploading the shell
We just need to upload it and visit the path.
Finally we can visit the path:
References
Last updated
Was this helpful?