In this section, we will look at how the exploitation of vulnerable versions of Tomcat can be performed. We will cover various techniques, including uploading a WAR shell and the JSP upload bypass.
Using the search command on Metasploit to look up Tomcat will provide us with a few available modules, as shown:
We will use the most basic module, which will brute-force Tomcat Manager and give us the credentials:
- To load the module, we can use the following command:
use auxiliary/scanner/http/tomcat_mgr_login
- Before using a module, it's always good practice to know the workings of the module. Keeping that in mind, a pentester can tweak the module in case there's a Web Application Firewall (WAF) in place. Once the module is loaded, we can use the show options command to view the options that need to be filled in by the tester (as in the following screenshot):
- By viewing the options, we can see that it asks for the IP (RHOSTS) and port (RPORT) of the Tomcat installation, along with the word list to use to brute-force the credentials. We use the run command to execute the module, as shown:
- We'll get a Login Successful message with a correct login/password combination, as shown:
Accessing the server by exploiting the default password vulnerability is one of the most common ways of exploiting Apache Tomcat. The attacker does not even have to focus a lot of energy on finding different vulnerable endpoints if they have obtained access by using the default password.