Vulnerability & Exploit Database

Back to search

Apache Tomcat Manager Application Deployer Authenticated Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • jduck <jduck [at]>



  • Automatic
  • Java Universal
  • Windows Universal
  • Linux x86


  • java
  • linux
  • windows


  • java
  • x86



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > show targets ...targets... msf exploit(tomcat_mgr_deploy) > set TARGET <target-id> msf exploit(tomcat_mgr_deploy) > show options and set options... msf exploit(tomcat_mgr_deploy) > exploit

Related Vulnerabilities

Related Modules