This article describes the author's selection of "using Tomcat's username and password to build a permanent backdoor. When accessing the JSP of this application in a browser, it is usually very slow for the first time, because Tomcat needs to convert the JSP into a Servlet File and then compile it. After compilation, the access will be fast. In addition, Tomcat also provides an application: Manager, which requires a user name and password. the user name and password are stored in an XML file. Through this application, FTP can be used to remotely deploy and withdraw applications on the Web. Of course, it can also be used locally. In this case, this feature is used to build Backdoor programs. Tomcat is not only a servlet container, but also a traditional Web server function: Processing HTML pages. However, compared with Apache, Apache is inferior in processing static html. You can integrate Tomcat and Apache to allow Apache to process static html, while Tomcat only needs to modify the configuration files of Apache and tomcat to process JSP and servlet. (1) Check Tomcat settings. After Apache Tomcat is installed on the server, port 8080 is opened by default for external connections. Generally, enter "IP: 8080" or a domain name in the browser to access the Apache Tomcat page, as shown in 1. Figure 1 connect to the Tomcat page (2) view the Tomcat user configuration file. After Tomcat is installed, there is a configuration file "tomcat-users.xml", which is located in the conf directory under the Tomcat program installation directory, open the file directly to see the plaintext value about the user name and password, 2. Find and remember the username and password that contain "Admin, Manager. (Here the tomcat-user.xml refers to the tomcat-users.xml file under catalina_base, rather than under catalina_home) Fig 2 get the user configuration username and password description :( 1) many administrators who are not familiar with Tomcat did not modify the default password after installing Tomcat. The username is admin and the password is blank. In this case, you can log on directly. (2) If the user modified the password, the password must be saved in the "tomcat-users.xml", so you can get the content of this file through webshell. (3) Go to Tomcat management. Tomcat provides online management, and this case also uses online management to build a backdoor. Click the "Tomcat Manager" link in the upper-left corner of Figure 1. A window asking you to enter your username and password is displayed, which is similar to the Windows logon window, as shown in figure 3. Figure 3 log on to the Tomcat management application (4) and check the deployment. In Figure 3, enter the Administrator-authorized user name and password obtained from the tomcat-users.xml file and go to the deployment management page, as shown in 4. Figure 4 Deployment Management page description: (1) on the deployment management page, you can set "start", "stop", and "reload), "undeploy" (delete deployment) the deployed project, click "undeploy" to delete the file physically. (2) The deployed folder is named *. War. For example, if the uploaded file is job. War, a "job" folder is generated in the Tomcat directory. (5) Deploy the JSP webshell backdoor program. There is a "war file to deploy" at the bottom of the Deployment Management page. Click Browse and select a configured backdoor war file. In this example, the backdoor program is job. war, click deploy to deploy the file to the server, as shown in Figure 5. Figure 5 uploading a backdoor war file to the server description (1) Deploy the file as a war file. (2) install WinZip in the system, and then compress one or more JSP backdoor files into one compressed file. After the compression is successful, the zip file is renamed as "*. war. (3) After the file is uploaded, Tomcat will be automatically deployed and run. (6) Test the backdoor program. Enter "deployment file name/JSP file" in the address bar. For example, in this example, the correct access is "[url] http: // 127.0.0.1: 8080/job. JSP [/url]. If it is set correctly, the webshell logon window shown in 6 is displayed. Figure 6 log on to webshell (7) and run the command in webshell. After entering the password in webshell, enter the webshell management interface. some information about the server is displayed by default. Select "Execute Command" in the function menu ", enter the "netstat-an" command in the command input box to view network connections, as shown in figure 7. Figure 7 command execution instructions (1) JSP Backdoor programs deployed in this way have high permissions and can execute Dangerous commands such as adding users. (2) JSP backdoors can operate files through the "File System" module; connect to the database through the "Database" module; (3) in this case, you can keep a small backdoor program in the system. If the backdoor program is detected or deleted by the antivirus software, you can re-deploy the service through the preceding steps to retain the backdoor permanently. Summary The situation described in this case is suitable for the Administrator (Admin) password is empty, but also suitable for obtaining the user name and password in the tomcat-users.xml file in Tomcat. In general, the Intranet is relatively weaker, so this case is helpful for Intranet penetration. Since I am not particularly familiar with JSP, especially the deployment settings, I do not know whether strict permission restrictions such as IIS can be implemented in JSP, and whether jspwebshell execution can be prohibited, this case is a type of discussion on server Attack and Defense. Powerful applications often use a weak vulnerability to break the entire system. Note that some keywords of Tomcat are searched through Google. If the Administrator is not empty, I use the inurl: 8080 keyword for search (common method, in fact, modifying the port can avoid most of these attacks.) I don't know how to search.