• Close
  • Back to search

    Apache Tomcat Manager Application Deployer Authenticated Code Execution

    This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

    Free Metasploit Download

    Get your copy of the world's leading penetration testing tool

     Download Now

    Module Name



    • jduck <jduck [at] metasploit.com>



    • Automatic
    • Java Universal
    • Windows Universal
    • Linux x86


    • java
    • linux
    • windows


    • java
    • x86



    Module Options

    To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

    msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > show targets ...targets... msf exploit(tomcat_mgr_deploy) > set TARGET <target-id> msf exploit(tomcat_mgr_deploy) > show options ...show and set options... msf exploit(tomcat_mgr_deploy) > exploit

    Related Vulnerabilities

    Related Modules