Questions

1. In the case of black-box penetration testing, how can we identify the Tomcat servers publicly?

2. Will the Changelog.html file always be present on the Apache Tomcat server?

3. I have successfully uploaded the JSP shell to the Apache Tomcat server. However, I am unable to access it. What could be the problem?

4. I found an OGNL OOB injection. How can I exploit this further?