This PHP script can deploy war file on target server using apache tomcat text interface if manager GUI is not enabled.
In common scenario, attacker can achieve remote code execution on a server having Apache Tomcat enabled on it by accessing Apache tomcat Manager GUI panel. Attacker can brute force, guess the apache tomcat panel credentials or even can try default user accounts to compromise it. Once attacker get access to manager GUI panel, by deploying WAR file (having JSP web shell in it), Remote Code Execution on Server can be achieved.
Apache tomcat server is having functionality to deploy WAR files (having java code files in it.) and to perform it, we have Manager GUI panel (accessible to authenticated users only).
Every time this is not the case, tomcat admin user may not have rights to access Manager GUI panel which limits the remote code execution possibility. Attacker need to have access on GUI panel to deploy WAR file.
After exploring the Apache tomcat documentation, it came to my knowledge that Apache Tomcat after version 7 has "Text interface" as well which allows deployment of war files on server. Text interface is purely based on commands and does not have any GUI interface.
When I was searching around for remote WAR file deployment using "Text Interface", I found a link to a gist on github.com in which developer mentioned CURL command to upload WAR file on server using "Text Interface". "Text Interface" support remote WAR file uploading using PUT method request (Only authenticated user), so if attacker has access to "Text Interface", by crafting "CURL" PUT method request WAR file can be deploy on tomcat server.
I exploited server in 2 ways:
-
By using manual CURL command on Linux system.
-
By developing PHP script which make a same CURL request and just needed Apache Tomcat installation URL, username, password of tomcat panel, War file which we want to upload on target server and name of deployment with which WAR file will get deploy on the server.