Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Tomcat connection pool exploits? anyone?
Posted by: ascetik
Date: August 26, 2008 02:51PM

Does anyone know if it is possible for an external application to connect to a tomcat connection pool to exploit the database similar to how you can in Weblogic. In weblogic if you there is a connection pool set up then an external application can make a t3 connection and make queries to the database without supplying a password if the connection pool is not set up to provide a separate uname and password and or connection filters. I'm not sure if there is something similar in tomcat..

Any thoughts???

i have information on my blog about the weblogic exploit... you just need the weblogic.jar library to get the code to run.

http://pentesterconfessions.blogspot.com/2008/03/fun-with-weblogic-connection-pools-free.html

Options: ReplyQuote
Re: Tomcat connection pool exploits? anyone?
Posted by: phobos182
Date: August 27, 2008 09:19AM

I'm pretty sure that this does not pertain to Tomcat. The issue at hand with Weblogic is the t3 protocol that allows applications to utilize the connection pool through a socket. Tomcat does not have any of this. Tomcat Connection pools are in memory, and do not have a socket.

Options: ReplyQuote
Re: Tomcat connection pool exploits? anyone?
Posted by: ascetik
Date: August 27, 2008 10:05AM

I'm pretty sure you are right and this was my line of thinking as well. I have a box that i am testing and it has like a gazillion ports open and just trying to track down what they all do and knowing that they use connection pools I thought that this might be exploitable here as in weblogic.

Thanks
ascetik

Options: ReplyQuote


Sorry, only registered users may post in this forum.