RCE via war upload in Tomcat using path traversal.

Recently I have found a remote code execution through file upload in a java application where I have used a path traversal and war file. The tomcat automatically deploys the war files when they are uploaded in webapps folder. So let's see how the tomcat actually works.

What is a tomcat?

Apache Tomcat is a long-lived, open source Java servlet container that implements several core Java enterprise specs, namely the Java Servlet, JavaServer Pages (JSP), and WebSockets APIs.

To cut short the description, It means we could deploy java applications on tomcat.

What is Tomcat's structure?

Once Tomcat has been installed, you will see a directory structure something like:

The typical directory hierarchy of a Tomcat installation consists of the following:

• bin — startup, shutdown, and other scripts and executables
• common — common classes that Catalina and web applications can use
• conf — XML files and related DTDs to configure Tomcat
• logs — Catalina and application logs
• server — classes used only by Catalina
• shared — classes shared by all web applications
• webapps — directory containing the web applications
• work — temporary storage for files and directories

The webapps folder contains the war file and its extracted folder.

The vulnerability

So the application I was testing has a feature to upload a file. I didn't know the path of the uploaded file. So was trying path traversal on the filename to get it to the main directory.

Here in the upload parameter, I have used ../check404.exe to verify path traversal. After visiting http://example.com/check404.exe, this worked.

So now I tried to guess the JSP file names and overwrite them but it didn't work. So I was browsing the alternative ways to get any critical vulnerability. Then I came across this site.

It says that tomcat will automatically deploy a war file when placed in the tomcat webapps directory.

So I have created a war file using the following command.

KINGSABRI/godofwar

godofwar -p cmd_get

As we know just traversing to one directory before was the root folder of the website. If we would traverse two directories that would be the webapps directory. Now uploaded the war file with filename “../../cmd_get.war”

As you can see it got uploaded. Now it would get automatically deployed. Now navigating to the below URL, would give you shell.

http://example.com/cmd_get/cmd_get.jsp

I hope you learned something from this tutorial.

If you want to get your application tested please email us at contact@defmax.io

References

• http://tomcat.apache.org/
• https://bhiggs.x10hosting.com/Courses/HighOctaneJava/Servlets/JavaServlets/TomcatDirectoryStructure.htm
• https://priocept.com/2019/05/21/remote-deployment-of-java-web-applications-with-tomcat/