Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bitterzzZZ/CVE-2021-43297-POC
CVE-2021-43297 POC,Apache Dubbo<= 2.7.13时可以实现RCE
https://github.com/bitterzzZZ/CVE-2021-43297-POC
Last synced: 21 days ago
JSON representation
CVE-2021-43297 POC,Apache Dubbo<= 2.7.13时可以实现RCE
- Host: GitHub
- URL: https://github.com/bitterzzZZ/CVE-2021-43297-POC
- Owner: bitterzzZZ
- Created: 2022-01-17T12:26:18.000Z (almost 3 years ago)
- Default Branch: master
- Last Pushed: 2022-01-24T11:24:56.000Z (almost 3 years ago)
- Last Synced: 2024-08-05T17:35:59.855Z (4 months ago)
- Language: Java
- Homepage:
- Size: 354 KB
- Stars: 38
- Watchers: 2
- Forks: 9
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - bitterzzZZ/CVE-2021-43297-POC - CVE-2021-43297 POC,Apache Dubbo<= 2.7.13时可以实现RCE (Java)
README
# CVE-2021-43297
## 漏洞描述
Dubbo Hessian-Lite 3.2.11及之前版本中存在潜在RCE攻击风险。Hessian-Lite在遇到序列化异常时会输出相关信息,这可能导致触发某些恶意定制的Bean的toString方法,从而引发RCE攻击。
## 原理
最开始的POC只能在Apache Dubbo<=2.7.8实现RCE,原理见[先知文章]()(审核通过后回来修改)。投稿之后又研究了一下,可以在Apache Dubbo<=2.7.13实现RCE,原理分析见[我的博客文章](https://www.cnblogs.com/bitterz/p/15828415.html)
效果如下
POC利用条件:
- apache dubbo <= 2.7.13或alibaba dubbo对应版本
- 知道dubbo provider的ip和端口,且可以访问
- dubbo provider存在XBean链
- dubbo provider服务器允许向外HTTP GET请求
# 环境安装和Poc运行
- 首先下载zookeeper
```
wget http://archive.apache.org/dist/zookeeper/zookeeper-3.3.3/zookeeper-3.3.3.tar.gz
tar zxvf zookeeper-3.3.3.tar.gz
cd zookeeper-3.3.3
cp conf/zoo_sample.cfg conf/zoo.cfg
```
- 配置
```
vim conf/zoo.cfg
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
dataDir=/绝对路径/zookeeper-3.3.3/data
# the port at which the clients will connect
clientPort=2181
```
- 修改绝对路径,在data目录下放置一个myid文件
```
mkdir data
touch data/myid
```
- 启动zookeeper
```
cd /private/var/tmp/zookeeper-3.3.3/bin
./zkServer.sh start
```
- 安装dubbo-samples-api
```
git clone https://github.com/apache/dubbo-samples.git
cd dubbo-samples/dubbo-samples-api
```
- 修改dubbo-samples/dubbo-samples-api/pom.xml
```xml
4.0.0
org.example
dubbomytest
pom
1.0-SNAPSHOT
org.apache.maven.plugins
maven-compiler-plugin
8
8
1.8
1.8
2.7.6
4.12
0.30.0
1.2.0
3.7.0
2.21.0
${project.artifactId}:${dubbo.version}
openjdk:8
20880
2181
org.apache.dubbo.samples.provider.Application
org.apache.dubbo
dubbo
2.7.3
org.apache.dubbo
dubbo-common
2.7.3
org.apache.dubbo
dubbo-dependencies-zookeeper
2.7.3
pom
org.apache.xbean
xbean-naming
4.15
junit
junit
${junit.version}
test
```
- xbean包
provider端和本地都需要安装,依赖如下
```xml
org.apache.xbean
xbean-naming
4.15
```
- 编译启动
IDEA中添加dubbo-samples-api,注意修改zookeeper和dubbo的端口,另外在Application.java中修改代码:
```
service.setRegistry(new RegistryConfig("zookeeper://" + zookeeperHost + ":" + zookeeperPort+"/?timeout=250000"));
```
防止高版本dubbo连接zookeeper过慢而连接失败
在idea里面启动dubbo-samples-api中的Application.java
启动后输出`dubbo service started`即表示dubbo已启动
- 运行poc
本地添加依赖:
```xml
org.apache.dubbo
dubbo-common
2.7.3
org.apache.dubbo
dubbo
2.7.3
org.apache.dubbo
dubbo-dependencies-zookeeper
2.7.3
pom
com.caucho
hessian
4.0.51
```
编译ExecTest.java,随后在HttpServer.java中修改ExecTest.class的路径,然后执行HttpServer.main方法,最后执行HessianLitePoc.main方法