CVE-2017-3066 深入利用获取命令回显
CVE-2017-3066 深入利用获取命令回显
原创 private null 轩公子谈技术 2025-04-22 06:39
事情的起因,客户的网站被监测到存在反序列化漏洞
定位 axis2,发现是
Adobe ColdFusion反序列化漏洞。
渗透了那么多项目,这个漏洞几乎没见过,也没遇到过,也好奇 这应该是内网里的,怎么能通过外网访问到。
下载 vulhub复现下漏洞
现在的 docker-compose 1.x 的版本不支持了,要升级到 2.x 才可以
root@localhost:~/vulhub/coldfusion/CVE-2017-3066# docker-compose up -d
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/requests/adapters.py", line 633, in send
conn = self.get_connection_with_tls_context(
File "/usr/local/lib/python3.8/dist-packages/requests/adapters.py", line 489, in get_connection_with_tls_context
conn = self.poolmanager.connection_from_host(
File "/usr/local/lib/python3.8/dist-packages/urllib3/poolmanager.py", line 303, in connection_from_host
return self.connection_from_context(request_context)
File "/usr/local/lib/python3.8/dist-packages/urllib3/poolmanager.py", line 325, in connection_from_context
raise URLSchemeUnknown(scheme)
urllib3.exceptions.URLSchemeUnknown: Not supported URL scheme http+docker
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/docker-compose", line 11, in <module>
load_entry_point('docker-compose==1.25.0', 'console_scripts', 'docker-compose')()
File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 72, in main
command()
File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 125, in perform_command
project = project_from_options('.', options)
File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 53, in project_from_options
return get_project(
File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 151, in get_project
return Project.from_config(
File "/usr/lib/python3/dist-packages/compose/project.py", line 102, in from_config
service_networks = get_networks(service_dict, networks)
File "/usr/lib/python3/dist-packages/compose/network.py", line 320, in get_networks
networks[network.true_name] = netdef
File "/usr/lib/python3/dist-packages/compose/network.py", line 125, in true_name
self._set_legacy_flag()
File "/usr/lib/python3/dist-packages/compose/network.py", line 146, in _set_legacy_flag
data = self.inspect(legacy=True)
File "/usr/lib/python3/dist-packages/compose/network.py", line 106, in inspect
return self.client.inspect_network(self.legacy_full_name)
File "/usr/lib/python3/dist-packages/docker/utils/decorators.py", line 19, in wrapped
return f(self, resource_id, *args, **kwargs)
File "/usr/lib/python3/dist-packages/docker/api/network.py", line 212, in inspect_network
res = self._get(url, params=params)
File "/usr/lib/python3/dist-packages/docker/utils/decorators.py", line 46, in inner
return f(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/docker/api/client.py", line 230, in _get
return self.get(url, **self._set_request_timeout(kwargs))
File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 602, in get
return self.request("GET", url, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/requests/adapters.py", line 637, in send
raise InvalidURL(e, request=request)
requests.exceptions.InvalidURL: Not supported URL scheme http+docker
启动之后就是 404 页面,可以做为指纹记录一下
网上的复现内容,都是基于
ColdFusionPwn-0.0.1-SNAPSHOT-all.jar
ysoserial.jar
以上两个文件,
ColdFusionPwn的作用则是
结合ysoserial
库生成恶意序列化对象,并将其封装到 AMF 消息中,最终生成可用于攻击的载荷文件。
直接用
ysoserial,格式则不符合 AMF类型。
图中的内容,响应包存在 ipconfig 的记录,说明是通过 echo 的方式,将结果显示出来。
直接用这两个工具则是没办法获取相应的结果,反弹 shell 可以尝试,但如果不出网,就没办法利用了。
目测有两种方式,手写
Gadget利用链,然后执行echo马,但是我不会,这种方式直接 pass。
第二种则是使用
java-chains.jar 生成对应的利用链。
打开后,点击生成
找到特定的 AMF
就可以找到具体的链。
这里就有一点玄学
网上命令行的操作 基于CB1来进行攻击
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/aaaa' poc.ser
cb1的版本是 1.9.2
而环境中的 cb 是 1.8 的版本
但是原始的攻击方法,是可以成功创建文件
而web 页面中的 cb1 也是 1.9 的版本,但是却无法创建文件
然后用下面的 cb 1.8,则可以创建 cccc
然后用oneforall echo 用来生成回显马
最后, java-chains.jar ,yyds