TOMCAT
README
Apache Tomcat CVE Assessment & Exploitation Framework
TOMCAT is a testing tool for identifying and exploiting directory traversal vulnerabilities in Apache Tomcat servers. This framework combines detection for both recent and historical CVEs with practical exploitation capabilities, taking you from initial reconnaissance to full system compromise.
Supported Vulnerabilities
CVE-2020-17530
- Affected Versions: Tomcat 7.0.0 to 7.0.108, 8.5.0 to 8.5.60, 9.0.0 to 9.0.40
- Impact: Directory traversal via rewrite misconfiguration
- Vector: Double URL encoding attacks
CVE-2025-55752
Affected Versions:
- Tomcat 10.1.0-M1 to 10.1.29
- Tomcat 11.0.0-M1 to 11.0.0-M18
- Tomcat 9.0.0-M1 to 9.0.97 (under specific configurations)
Vulnerability Description:
Path traversal vulnerability in Apache Tomcat's URL processing that fails to properly normalize certain encoded path sequences, allowing attackers to read arbitrary files outside the web root directory.
Exploitation Vectors:
- ....// sequences that bypass normalization checks
- Semicolon separators (..;/..;/) for alternative path traversal
- Unicode encoding variations (%c0%af) for evasion
- Double URL encoding payloads
Impact:
- Arbitrary file read (passwd, shadow, web.xml, configuration files)
- Potential credential and source code exposure
- Information disclosure leading to further compromise
How TOMCAT Exploits It:
- Multi-payload testing with various encoding techniques
- Live file content validation to confirm successful traversal
- Version-aware payload prioritization
- Integration with RCE chain when PUT method available
Detection Methodology:
The scanner tests multiple traversal patterns against known file paths, analyzing HTTP responses for successful file content indicators while correlating with Tomcat version data to minimize false positives.
Real-World Validation:
Confirmed working against Tomcat 10.0.0+ instances in production environment.
TOMCAT Features
- Dual CVE detection with intelligent payload selection
- Tomcat version fingerprinting and vulnerability correlation
- Multiple operational modes (stealth, assessment, full exploitation)
- Automated file exfiltration of sensitive system and configuration files
- RCE assessment via PUT method testing
- JSP webshell deployment and multi-platform reverse shells
- Comprehensive reporting with actionable next steps
Installation
git clone https://github.com/ekomsSavior/TOMCAT
cd TOMCAT
pip3 install requests urllib3
Usage
python3 tomcat.py
Platform Support
This tool works across all major platforms:
- Linux (Kali, Ubuntu, etc.) - Primary development platform
- Windows - Requires Python 3.6+ and same dependencies
- macOS - Native support with homebrew Python
Windows users may need to install Python from python.org and use Command Prompt or PowerShell.
Usage Guide
When you launch the scanner, you'll be guided through an interactive menu:
- Target Configuration
- Enter the full Tomcat server URL (http/https, IP or domain)
-
The tool verifies connectivity and Tomcat indicators
-
Operational Mode Selection
- Vulnerability Assessment: Safe scanning only, no exploitation
- Assessment + RCE Check: Adds PUT method testing for potential code execution
- Full Exploitation: Complete assessment with file exfiltration and shell deployment
-
Stealth Mode: Slower, less noisy scanning for monitored environments
-
Scan Execution
The tool automatically: - Fingerprints Tomcat version and correlates with known affected versions
- Tests multiple traversal payloads for both CVEs
- Provides real-time feedback on each test
- Confirms vulnerabilities with file content validation
- Exploitation Phase (if selected)
- Automatically attempts to read sensitive files (/etc/passwd, web.xml, configuration files)
- Tests PUT method availability for potential webshell upload
- If PUT enabled, deploys command shells or reverse shells
- Saves exfiltrated data to local files for analysis
Reverse Shell Capabilities
TOMCAT framework includes comprehensive RCE exploitation through multiple vectors:
PUT Method Exploitation
- Automated detection of enabled PUT methods
- JSP webshell deployment for command execution
- Multi-platform reverse shell generation
- Persistent backdoor installation
Reverse Shell Types Supported
Unix/Linux Targets
- Bash reverse shells with full TTY allocation
- Python-based shells for environments with limited binaries
- Netcat-based fallbacks when available
Windows Targets
- PowerShell reverse shells with AMSI bypass techniques
- Base64 encoded payloads for command line evasion
- Full interactive PowerShell sessions
Reverse Shell Deployment Process
When you select "Full Exploitation" mode:
- PUT Method Assessment
- Automatic OPTIONS request analysis
- Direct PUT method testing with cleanup
-
Authentication requirement detection
-
Webshell Upload
- Randomly named JSP files to avoid detection
- Command execution validation
-
File permission verification
-
Reverse Shell Triggering
- Listener configuration prompts
- Payload generation based on target OS
- Manual trigger control for operator timing
Example Reverse Shell Workflow
[+] Checking PUT method availability...
[+] PUT method enabled (direct test)
[+] Attempting webshell upload...
[+] Webshell uploaded: https://target:8080/cmd_28374.jsp
[+] Uploading reverse shell...
[+] Reverse shell uploaded: https://target:8080/rev_49261.jsp
[!] Start listener: nc -nvlp 4444
[!] Press Enter to trigger reverse shell...
[+] Reverse shell triggered! Check your listener.
Listener Setup Examples
# Netcat listener (Linux/Mac)
nc -nvlp 4444
# Powercat listener (Windows)
powercat -l -p 4444
# Socat listener (Enhanced features)
socat file:`tty`,raw,echo=0 tcp-listen:4444
What's Happening Under the Hood
Reconnaissance Phase
- Basic connectivity checks and service validation
- Server header analysis and Tomcat fingerprinting
- Content-based version detection from error pages and management interfaces
Vulnerability Assessment
- Sequential payload testing with multiple encoding techniques
- Live analysis of HTTP responses for successful file read indicators
- Correlation between detected version and relevant CVE payloads
Exploitation Engine
- Intelligent file path construction for maximum traversal depth
- Adaptive payload selection based on initial scan results
- Multi-platform shellcode generation (Unix/Windows/Python)
- Safe file handling and evidence
This shows successful vulnerability confirmation with:
- Specific CVE identification
- Working payload used
- File content validation
Advanced RCE Features
Webshell Persistence
- Multiple webshell deployment locations
- Configuration file modification for persistence
- Service installation on compromised hosts
Evasion Techniques
- Random JSP filenames to avoid pattern detection
- Obfuscated command execution
- Traffic encryption capabilities
Post-Exploitation
- Automatic privilege escalation checks
- Network reconnaissance from compromised host
- Lateral movement assessment
Legal Disclaimer
TOMCAT is designed for authorized security testing only.
Users must ensure they have explicit permission to test target systems.
Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.
The developer assumes no liability for misuse of this tool.
Want me to format this as a Markdown file for your repository or adjust any technical details?
https://instagram.com/ekoms.is.my.savior