Apache Tomcat Http

Posted on by

Sep 22, 2020 Apache Tomcat also provides by default a HTTP connector on port 8080, i.e., Tomcat can also be used as HTTP server. But the performance of Tomcat is not as good as the performance of a designated web server, like the Apache HTTP server. Apache Tomcat (called 'Tomcat' for short) is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies. Tomcat provides a 'pure Java' HTTP web server environment in which Java code can run.

Apache Tomcat Tutorial

Welcome to Apache Tomcat Tutorial. Learn to use Apache Tomcat as a JSP container, HTTP Web Server, etc., and understand configuration for security and scalability with examples.

  • The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a.
  • Most of you might be using a web server like Apache, Nginx, IIS in front of Tomcat so you may implement the headers directly in web server. However, if you don’t have any web server in front or need to implement directly in Tomcat then good news if you are using Tomcat 8. Tomcat 8 has added support for following HTTP response headers.

Latest version available is Apache Tomcat 8.5.X.

Apache Tomcat Tutorial – Index

  • Managing Tomcat
  • Deploying Web Applications with Apache Tomcat

Introduction to Apache Tomcat

The Apache Tomcat software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.

Apache Tomcat is usually used as a Servlet Container even though Tomcat has a fully functional HTTP Server to serve static content. In most of production, Tomcat is used in conjunction with Apache HTTP Server where Apache HTTP Server attends static content like html, images etc., and forwards the requests for dynamic content to Tomcat. This is because Apache HTTP Server supports more advanced options than that of Tomcat.

Latest Apache Tomcat version 8.5 adds support for HTTP/2, OpenSSL for JSSE, TLS virtual hosting and JASPIC 1.1

Components and Features of Apache Tomcat

Apache Tomcat has following components and features to manage web applications.

  • Catalina
  • Coyote
  • Jasper
  • Cluster
  • High Availability
  • Web Application

Jasper 2

Jasper is the JSP Engine for Tomcat. Jasper is responsible for parsing JSP files and compilation of JSP’s Java code as servlets.

Jasper is capable of background compilation, which means if any changes are made to JSP files, then the older versions of those JSP files are still retained by the server, until the updated JSP files are recompiled.

Catalina

Catalina is Tomcat’s servlet container. Catalina makes Tomcat a Web Server for dynamic content.

Coyote

Coyote is the component that makes Tomcat capable as a HTTP Web Server. Coyote makes Catalina also act as a server that serves static content.

Installing Apache Tomcat on Ubuntu

To install Tomcat on Ubuntu, you could use command line interface and run the following command :

If you would like to install tomcat7 for some project related reasons, use tomcat7 instead of tomcat8 in the command.

Following are the useful locations that we may need in furthur steps :

  • /etc/tomcat{X} for configuration
  • /usr/share/tomcat{X} for runtime, called CATALINA_HOME
  • /usr/share/tomcat{X}-root for webapps

You could check if the Tomcat server is running, by opening a browser and hitting the url http://localhost:8080/. Something similar to the following would be responded back with.

Start Apache Tomcat

Once you install Tomcat, it is started automatically.

In case if you have stopped it manually, and would like to start Apache Tomcat again, open a terminal and run the following command.

Restart Apache Tomcat

There could be scenarios, like you have updated your web-application, where you may need to restart Apache Tomcat for the server to pickup the changes.

To restart Apache Tomcat, Open a Terminal and run the following command.

Stop Apache Tomcat

To stop Apache Tomcat, Open a Terminal run the following command.

If you have installed tomat7, use tomcat7 instead of tomcat8 in the above command.

Deploying Static Web-Applications with Apache Tomcat

In the following sections, we shall learn to deploy static and web applications in tomcat.

Deploying Static Web-Applications with Apache Tomcat

To deploy static web application with Tomcat, all you need to do is copy your project folder to tomcat web-apps directory.

For Linux :

Now restart Tomcat for the changes to take effect.

Open a broswer, and hit the url, http://localhost:8080/StaticWebProject.

Deploying Dynamic Web-Applications with Apache Tomcat

.war is the format of the web application that Apache Tomcat Server could deploy. If you are building a web application using an IDE like Eclipse, you could export the application as a WAR file.

Conclusion

With these series of tutorials, we have learnt how to configure and work with Apache Tomcat.

From charlesreid1

  • 1Tomcat Service
  • 3Metasploit Modules for Tomcat
    • 3.1Login Credentials
    • 3.2Uploading Java Executable with Metasploit
    • 3.3Uploading Java Executable Manually

We will attempt to abuse the Tomcat server in order to obtain access to the web server. The end goal is to obtain a shell on the web server.

Just a reminder of what the nmap scan returned about Apache Tomcat and Coyote:

JSP stands for JavaServer Pages. All this means is, web pages accessed through port 8180 will be assembled by a Java web application.

What is tomcat

Apache Tomcat provides software to run Java applets in the browser. The nmap scan didn't return the version, so that's probably the first thing we'll want to figure out.

What is coyote

Coyote is a stand-alone web server that provides servlets to Tomcat applets. That is, it functions like the Apache web server, but for JavaServer Pages (JSP).

From the description of Coyote on the Tomcat page [1], it sounds like this server will be as susceptible to denial of service attacks as the Apache web server was.


Let's start by doing some recon of the Tomcat server using the various HTTP scanners in Metasploit.

Running the HTTP dir scanner module turns up some goodies:

These turn up some interesting pages that can potentially be bypassed:

The recon we do feeds into the choice of Metasploit modules that we make. First, we have a login page - this provides us with a way to brute-force login credentials. Second, we have a WebDAV interface, and a potential avenue for uploading a PHP shell. Third, the server works much like the Apache server, and is susceptible to denial of service attacks.

Login Credentials

We can do a comprehensive search for all Tomcat-related modules in metasploit:

We will focus on three modules:

Specifically, to obtain login credentials, we'll focus on tomcat_mgr_login.

tomcat mgr login

This module is, obviously, for logging into Tomcat.

Here is info on this module from the Rapid7 website: https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login

Printing out the various options, it looks like a brute force method:

We'll definitely want to try blank passwords. Let's set some options:

Apache Tomcat 8.5 Download

Now fire it up:

Success! The username/password tomcat/tomcat will get us access to the server.

Uploading Java Executable with Metasploit

Just as obtaining a remote shell on the web server with Apache required uploading and executing a PHP script (see Metasploitable/Apache/DAV), obtaining a remote shell on the web server will require uploading and executing a file - but for Tomcat, the executable must be a JSP (JavaServer Pages) application.

Automated Metasploit File Upload

This is contained in the tomcat_mgr_upload module:

Set Metasploit Options

Apache Tomcat Http

Set some options for this exploit. We'll use the credentials we already found.

The TARGETURIvariable should be left to the default, manager/ - not set to admin.

Additionally, we'll need to set the target architecture:

Run the Exploit (Failure)

Now we are ready to run:

Does not work. Not sure why.

After running the above exploit, I can log into the management page and see the WAR is successfully being uploaded by Metasploit, and that the module is active and running.

Can configure the correct path to the Tomcat manager (which is /manager).

InvoiceBerry is the easiest way to keep your records as well as invoicing your customers. The invoice software has a fresh design and is very easy to use. I would definitely recommend this software to anyone looking for a simple way to avoid accountants and keep your records tidy and safe. Leonardo Acero Graphic designer. Invoiceberry free download.

(Note: many admins will disable these Tomcat modules or change the name of directories.)


Run the Exploit (Worked)

I set this aside for a day, and found another workaround (covered below). But then, later, the exploit worked as intended.

Houston, We Have A Meterpreter Shell

Now we have a meterpreter shell! Over and on to Meterpreter.

Uploading Java Executable Manually

For some reason, the metasploit automated payload deployment had some problems. However, we can still exploit this server manually.

The management web interface gives us a place to upload WAR files, and a way to execute them manually.

We can use Metasploit to craft a WAR file with the payload, then manually upload and execute it.

Craft WAR Payload

Now we upload the runme.war file, and set it running on the Tomcat server:

Note that this does NOT execute the payload yet!!!

To execute the payload and run the actual war file, we will need to visit the page http://10.0.0.27:8180/runme/. However, this will try and connect to our command-and-control server on port 4444, and we need to be listening for the incoming connection.

We'll use netcat to receive the incoming shell once the WAR file is executed.

Netcat Listener

Now we set netcat listening on port 4444, the port we hard-coded into our payload:

Now, netcat will listen for the incoming connection, so you're ready to execute your payload.

Once the runme.war module is enabled through the Tomcat server, visit the applet in your browser:

You'll see the incoming TCP connection in netcat.

Houston, We Have a Shell

Congrats - we've got ourselves a shell!

The shell is nothing fancy, but it lets us do some things on the filesystem.

Apache Tomcat Http Status 404 Error

We are the tomcat 5.5 user:

Here I list the contents of the root directory:

Note that you are not root so you cannot modify files that you don't own. Same goes for trying to access SSH keys - if they're read-only for that user, you won't be able to see them.

You can also dump the contents of the startup scripts:

You could modify one of these services (or add a new one) to open a netcat shell. Need some additional practice with these netcat shells. It's possible to use a text editor like vi, but also very clunky.

It should be a lot easier to utilize an open reverse TCP connection to transfer files with netcat.

Clean Up

Apache Tomcat Https

Remove the runme war file by going back to http://10.0.0.27:8180/manager/html and clicking 'Undeploy'.











Retrieved from 'https://charlesreid1.com/w/index.php?title=Metasploitable/Apache/Tomcat_and_Coyote&oldid=10143'