Tomcat
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
It usually runs on port 8080
Common Tomcat error:
To find the version of Apache Tomcat, a simple command can be executed:
This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.
Identifying the exact locations of /manager
and /host-manager
directories is crucial as their names might be altered. A brute-force search is recommended to locate these pages.
For Tomcat versions older than 6, it's possible to enumerate usernames through:
The /manager/html
directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:
admin:admin
tomcat:tomcat
admin:
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
These credentials can be tested using:
Another notable directory is /manager/status
, which displays the Tomcat and OS version, aiding in vulnerability identification.
To attempt a brute force attack on the manager directory, one can use:
Along with setting various parameters in Metasploit to target a specific host.
Accessing /auth.jsp
may reveal the password in a backtrace under fortunate circumstances.
The CVE-2007-1860 vulnerability in mod_jk
allows for double URL encoding path traversal, enabling unauthorized access to the management interface via a specially crafted URL.
In order to access to the management web of the Tomcat go to: pathTomcat/%252E%252E/manager/html
/examples/jsp/num/numguess.jsp
/examples/jsp/dates/date.jsp
/examples/jsp/snp/snoop.jsp
/examples/jsp/error/error.html
/examples/jsp/sessions/carts.html
/examples/jsp/checkbox/check.html
/examples/jsp/colors/colors.html
/examples/jsp/cal/login.html
/examples/jsp/include/include.jsp
/examples/jsp/forward/forward.jsp
/examples/jsp/plugin/plugin.jsp
/examples/jsp/jsptoserv/jsptoservlet.jsp
/examples/jsp/simpletag/foo.jsp
/examples/jsp/mail/sendmail.jsp
/examples/servlet/HelloWorldExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestParamExample
/examples/servlet/CookieExample
/examples/servlet/JndiServlet
/examples/servlet/SessionExample
/tomcat-docs/appdev/sample/web/hello.jsp
So, for example, you might be able to access the Tomcat manager page by accessing: www.vulnerable.com/lalala/..;/manager/html
Another way to bypass protected paths using this trick is to access http://www.vulnerable.com/;param=value/manager/html
Finally, if you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).
Create the war to deploy:
Upload the revshell.war
file and access to it (/revshell/
):
In some scenarios this doesn't work (for example old versions of sun)
Name of Tomcat credentials file is tomcat-users.xml
Other ways to gather Tomcat credentials:
Apache Tomcat versions 4.x to 7.x include example scripts that are susceptible to information disclosure and cross-site scripting (XSS) attacks. These scripts, listed comprehensively, should be checked for unauthorized access and potential exploitation. Find
In some you can gain access to protected directories in Tomcat using the path: /..;/
You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script). Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml
(it vary between versions) (see section).
Create index.jsp with this :
You could also install this (allows upload, download and command execution):
Get a JSP web shell such as and create a WAR file:
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.