Tomcat
General folder structure of a Tomcat installation
The bin folder stores scripts and binaries needed to start and run a Tomcat server.
The conf folder stores various configuration files used by Tomcat.
The tomcat-users.xml file stores user credentials and their assigned roles.
The lib folder holds the various JAR files needed for the correct functioning of Tomcat. The logs and temp folders store temporary log files.
The webapps folder is the default webroot of Tomcat and hosts all the applications.
The work folder acts as a cache and is used to store data during runtime.
Each folder inside webapps is expected to have the following structure.
he most important file among these is WEB-INF/web.xml stores information about the routes used by the application and the classes handling these routes. Any vulnerability in these files can lead to total compromise of the website.
Discovery/Footprinting
Tomcat Version
Default Credentials
The /manager/html directory is particularly sensitive as it allows the upload and deployment of WAR files, which can lead to code execution. This directory is protected by basic HTTP authentication, with common credentials being:
admin:admin
tomcat:tomcat
admin:
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
Wordlist:
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
Bruteforce Script
Tomcat Manager - WAR File Upload
Using MSFVenom to create .war file. (The web shell as is only gets detected by 2/58 anti-virus vendors.)
A simple change such as changing:
to:
results in 0/58 security vendors flagging the cmd.jsp file as malicious at the time of writing.
CVE-2020-1938 : Ghostcat
All Tomcat versions before 9.0.31, 8.5.51, and 7.0.100 were found vulnerable.
Apache Tomcat: Important: Remote Code Execution on Windows (CVE-2019-0232)
Affected versions
9.0.0.M1 to 9.0.17
8.5.0 to 8.5.39
7.0.0 to 7.0.93
Last updated
