Web applications are a prime target for hackers, but sometimes it's not just the web apps themselves that are vulnerable. Web management interfaces should be scrutinized just as hard as the apps they manage, especially when they contain some sort of upload functionality. By exploiting a vulnerability in Apache Tomcat, a hacker can upload a backdoor and get a shell.
Apache Tomcat is an open-source implementation of several Java technologies, including Java Servlet, JSP, Java EL, and WebSocket. What this does is provide an environment where Java code can run over HTTP. It was first released in 1998 and is still developed and maintained today under the Apache License 2.0.
Tomcat uses WAR (Web Application Archive) files to deploy web apps via servlets. These files are similar to JAR files but contain everything the web app needs, such as JavaScript, CSS, etc. Previous versions of Apache Tomcat included a vulnerability that allowed attackers to upload and deploy a WAR backdoor.
We will be using Kali Linux to attack an instance of Metasploitable 2, an intentionally vulnerable virtual machine, to highlight the Tomcat vulnerability.
Target Enumeration
We can begin by performing an Nmap scan on the target to verify that Apache Tomcat is running. The -sV switch will attempt to determine the name and version of any available service:
~# nmap -sV 10.10.0.50 Starting Nmap 7.70 ( https://nmap.org ) ..
Support the originator by clicking the read the rest link below.
