|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + The administrator application was removed as of Tomcat 6. Tomcat 5.5.36 is available from [apache](https://archive.apache.org/dist/tomcat/tomcat-5/v5.5.36/). This does not have the `admin` app bundled though, and can be downloaded [here](https://archive.apache.org/dist/tomcat/tomcat-5/v5.5.36/bin/apache-tomcat-5.5.36-admin.zip). |
| 4 | + |
| 5 | + To utilize the `admin` application, a user must have the permission `admin` applied to their account. The following user line will handle all necessary permissions: |
| 6 | + |
| 7 | + ``` |
| 8 | + <user username="tomcat" password="tomcat" roles="admin"/> |
| 9 | + ``` |
| 10 | + |
| 11 | +## Verification Steps |
| 12 | + |
| 13 | + 1. Install Tomcat 5.5 or older |
| 14 | + 2. Install the admin app |
| 15 | + 3. Start msfconsole |
| 16 | + 4. Do: ```use auxiliary/admin/http/tomcat_administration``` |
| 17 | + 5. Do: ```set rhosts [ips]``` |
| 18 | + 6. Do: ```set tomcat_user [username]``` |
| 19 | + 7. Do: ```set tomcat_pass [username]``` |
| 20 | + 8. Do: ```set rport [port]``` |
| 21 | + 9. Do: ```run``` |
| 22 | + 10. Find all the Tomcat admin portals |
| 23 | + |
| 24 | +## Options |
| 25 | + |
| 26 | + **rport** |
| 27 | + |
| 28 | + The default is set to `8180`, which is only default on FreeBSD. All other operating systems, and the software itself, default to `8080`. |
| 29 | + |
| 30 | +## Scenarios |
| 31 | + |
| 32 | + Example run against Tomcat 5.5.36 with admin module installed against Windows XP |
| 33 | + |
| 34 | + ``` |
| 35 | + msf > use auxiliary/admin/http/tomcat_administration |
| 36 | + msf auxiliary(tomcat_administration) > set rport 8085 |
| 37 | + rport => 8085 |
| 38 | + msf auxiliary(tomcat_administration) > set rhosts 192.168.2.108 |
| 39 | + rhosts => 192.168.2.108 |
| 40 | + msf auxiliary(tomcat_administration) > set verbose true |
| 41 | + verbose => true |
| 42 | + msf auxiliary(tomcat_administration) > set tomcat_pass tomcat |
| 43 | + tomcat_pass => tomcat |
| 44 | + msf auxiliary(tomcat_administration) > set tomcat_user tomcat |
| 45 | + tomcat_user => tomcat |
| 46 | + msf auxiliary(tomcat_administration) > run |
| 47 | + |
| 48 | + [*] http://192.168.2.108:8085/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5.36] [Tomcat Server Administration] [tomcat/tomcat] |
| 49 | + [*] Scanned 1 of 1 hosts (100% complete) |
| 50 | + [*] Auxiliary module execution completed |
| 51 | + ``` |
0 commit comments