# Basic Tomcat Info

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

* 您在**网络安全公司**工作吗？想要看到您的**公司在HackTricks中做广告**？或者想要访问**PEASS的最新版本或下载PDF格式的HackTricks**？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 发现我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks)**和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud)**提交PR来分享您的黑客技巧**。

</details>

**Try Hard Security Group**

<figure><img src="/files/Kw46fTSYxPIOMyKySfL5" alt=""><figcaption></figcaption></figure>

{% embed url="<https://discord.gg/tryhardsecurity>" %}

***

### 避免以root身份运行

为了避免以root身份运行Tomcat，一个非常常见的配置是在端口80/443上设置一个Apache服务器，如果请求的路径与正则表达式匹配，则将请求发送到在不同端口上运行的Tomcat。

### 默认结构

```
├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work
└── Catalina
└── localhost
```

* `bin`文件夹存储启动和运行Tomcat服务器所需的脚本和二进制文件。
* `conf`文件夹存储Tomcat使用的各种配置文件。
* `tomcat-users.xml`文件存储用户凭据及其分配的角色。
* `lib`文件夹保存Tomcat正确运行所需的各种JAR文件。
* `logs`和`temp`文件夹存储临时日志文件。
* `webapps`文件夹是Tomcat的默认Web根目录，托管所有应用程序。`work`文件夹充当缓存，用于在运行时存储数据。

预计`webapps`内的每个文件夹具有以下结构。

```
webapps/customapp
├── images
├── index.jsp
├── META-INF
│   └── context.xml
├── status.xsd
└── WEB-INF
├── jsp
|   └── admin.jsp
└── web.xml
└── lib
|    └── jdbc_drivers.jar
└── classes
└── AdminServlet.class
```

最重要的文件之一是`WEB-INF/web.xml`，也被称为部署描述符。该文件存储了应用程序使用的路由信息以及处理这些路由的类。\
应用程序使用的所有编译类都应存储在`WEB-INF/classes`文件夹中。这些类可能包含重要的业务逻辑以及敏感信息。这些文件中的任何漏洞都可能导致网站被完全攻陷。`lib`文件夹存储了该特定应用程序所需的库。`jsp`文件夹存储了[Jakarta Server Pages (JSP)](https://en.wikipedia.org/wiki/Jakarta_Server_Pages)，以前被称为`JavaServer Pages`，可以与Apache服务器上的PHP文件进行比较。

以下是一个**web.xml**文件示例。

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<servlet-class>com.inlanefreight.api.AdminServlet</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/admin</url-pattern>
</servlet-mapping>
</web-app>
```

```markdown
上面的`web.xml`配置定义了一个名为`AdminServlet`的新servlet，映射到类`com.inlanefreight.api.AdminServlet`。Java使用点表示法来创建包名，这意味着上面定义的类在磁盘上的路径为：

- `classes/com/inlanefreight/api/AdminServlet.class`

接下来，创建了一个新的servlet映射，将请求映射到`/admin`与`AdminServlet`。这个配置将会将任何接收到的`/admin`请求发送到`AdminServlet.class`类进行处理。`web.xml`描述符包含了许多敏感信息，是在利用本地文件包含（LFI）漏洞时需要检查的重要文件。

### tomcat-users

`tomcat-users.xml`文件用于允许或禁止访问`/manager`和`host-manager`管理页面。
```

```xml
<?xml version="1.0" encoding="UTF-8"?>

<SNIP>

<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application.  If you wish to use this app,
you must define such a user - the username and password are arbitrary.

Built-in Tomcat manager roles:
- manager-gui    - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx    - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only

The users below are wrapped in a comment and are therefore ignored. If you
wish to configure one or more of these users for use with the manager web
application, do not forget to remove the <!.. ..> that surrounds them. You
will also need to set the passwords to something appropriate.
-->


<SNIP>

!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />

<!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />


</tomcat-users>
```

文件显示了每个角色`manager-gui`、`manager-script`、`manager-jmx`和`manager-status`提供的访问权限。在这个示例中，我们可以看到一个名为`tomcat`，密码为`tomcat`的用户具有`manager-gui`角色，另外一个弱密码`admin`被设置给了用户账户`admin`

## 参考

* <https://academy.hackthebox.com/module/113/section/1090>

**Try Hard Security Group**

<figure><img src="/files/Kw46fTSYxPIOMyKySfL5" alt=""><figcaption></figcaption></figure>

{% embed url="<https://discord.gg/tryhardsecurity>" %}

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

* 您在**网络安全公司**工作吗？您想看到您的**公司在HackTricks中被宣传**吗？或者您想访问**PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 发现我们的独家[NFTs收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) **Discord群组**]\(<https://discord.gg/hRep4RUj7f>) 或**电报群组**或在**Twitter**上关注我🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks)**和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud)**提交PR来分享您的黑客技巧**。

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.