Web Server Attacks

Attacks on various servers like Apache, Nginx and Tomcat

Tomcat

Service Discovery

$ curl -s http://target/docs/ | grep Tomcat

Generic structure of a Tomcat installation

โ”œโ”€โ”€ bin
โ”œโ”€โ”€ conf
โ”‚   โ”œโ”€โ”€ catalina.policy
โ”‚   โ”œโ”€โ”€ catalina.properties
โ”‚   โ”œโ”€โ”€ context.xml
โ”‚   โ”œโ”€โ”€ tomcat-users.xml <-- user credentials and roles
โ”‚   โ”œโ”€โ”€ tomcat-users.xsd
โ”‚   โ””โ”€โ”€ web.xml
โ”œโ”€โ”€ lib
โ”œโ”€โ”€ logs
โ”œโ”€โ”€ temp
โ”œโ”€โ”€ webapps
โ”‚   โ”œโ”€โ”€ manager
โ”‚   โ”‚   โ”œโ”€โ”€ images
โ”‚   โ”‚   โ”œโ”€โ”€ META-INF
โ”‚   โ”‚   โ””โ”€โ”€ WEB-INF
|   |       โ””โ”€โ”€ web.xml  <-- describes routes and classes
โ”‚   โ””โ”€โ”€ ROOT
โ”‚       โ””โ”€โ”€ WEB-INF
โ””โ”€โ”€ work
    โ””โ”€โ”€ Catalina
        โ””โ”€โ”€ localhost

Important pages are /manger and /host-manager with default weak passwords like tomcat:tomcat or admin:admin

Bruteforcing

WAR backdoor upload

After logging into the manager console, upload backdoor cmd.jsp

Upload the file

Browse -> Deploy the war file, and execute commands with

Ghostcat

LFI vulnerability that can only read files within the web apps folder, so it can't access /etc/passwd

LogoGitHub - YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi: Tomcat-Ajpๅ่ฎฎๆ–‡ไปถ่ฏปๅ–ๆผๆดžGitHub
PreviousApplication AttacksNextJSON attacks

Last updated