CHANGELOG Version 0.3, 19.07.16:
+ Added bind-shell & Reverse-shell functionality to provide user with direct access to the shell.
tomcatWarDeployer is an Apache Tomcat auto WAR deployment & pwning penetration testing tool.
What is it?
This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).
In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).
+ Implement sort of communication authentication and encryption/encoding, to prevent flow of plain-text data through the wire/ether
+ Test it on tomcat8
git clone https://github.com/mgeeky/tomcatWarDeployer && cd tomcatWarDeployer
python tomcatWarDeployer.py -h
git pull origin master
Usage of tomcatWarDeployer for attacking infrastructures without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.