After this vulnerability was exposed, the proof of concept (PoC) was not seen for a long time. The versions that could successfully exploit it seemed to be updated daily. There were several key version numbers: "51", "48", and "58". It was really confusing which one was correct. So, I decided to first check the official announcement and found that only the release notes for version 49 mentioned "enhanced security protection." Therefore, I decided to look into versions 48 and 49, checking commits and such, but at that time, I didn't find anything.
GeoServer remote code execution vulnerability CVE-2024-36401 POC. In GeoServer, any unauthenticated user can execute XPath expressions on a default installed server by crafting malicious OGC requests, thereby exploiting the functionality provided by Apache Commons Jxpath to execute arbitrary code.
Then trace the debugging to the execute method, located in the ImportTestCaseAction.class class. The actual path is: \user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls_12.1.3\cmprq0\war\WEB-INF\lib\ws-testpage-impl.jar!\com\oracle\webservices\testclient\ws\action\ImportTestCaseAction.class
⭐️ SDK ⭐️dpi
- Supports library-based deduplication
- Supports mixing multiple APP order submissions
- Various industries, can capture any APP
- Option to capture active users within 3 days
- Data available the day after order submission
SDK DPi is recruiting agents and direct clients, prices can be as low as freezing point for large volumes, real clients can be exempt from testing
@feijinhsa
- Supports library-based deduplication
- Supports mixing multiple APP order submissions
- Various industries, can capture any APP
- Option to capture active users within 3 days
- Data available the day after order submission
SDK DPi is recruiting agents and direct clients, prices can be as low as freezing point for large volumes, real clients can be exempt from testing
@feijinhsa
trojan.generic is the name of a computer trojan. After activation, it releases virus files from its internal resources. Some trojan programs under WINDOWS bind a file, bundling the virus program and a normal application into one program, releasing both the virus and the normal program, using the normal program to cover the virus. The virus runs in the background of the computer and sends data to us. Besides the usual harm, the virus can cause mainstream antivirus software and personal firewalls to fail to open, and even cause system "blue screen", automatic restart, or crash during virus scanning.
The core module "UpdateServer.exe" registers itself as a system service upon startup, first checking the current system environment to prevent running in a virtual machine, packet capture detection, or debugging analysis. It then checks the core files in the update directory: "UpData.db", "Notify.exe", and "info.db". It decrypts (RC4+ZLib) the "UpData.db" module and loads it into memory, calling its exported function "update_init".
Penetrate backend permissions, databases, servers.
Crack and customize scripts for domestic and overseas sites and apps, target specific sites, penetrate, attack and paralyze, modify orders, change data, listen, monitor, and various other services.
Server intrusion, penetration testing, database deletion, data removal.
Taking orders.
@feijinhsa
The core module "UpdateServer.exe" registers itself as a system service upon startup, first checking the current system environment to prevent running in a virtual machine, packet capture detection, or debugging analysis. It then checks the core files in the update directory: "UpData.db", "Notify.exe", and "info.db". It decrypts (RC4+ZLib) the "UpData.db" module and loads it into memory, calling its exported function "update_init".
Penetrate backend permissions, databases, servers.
Crack and customize scripts for domestic and overseas sites and apps, target specific sites, penetrate, attack and paralyze, modify orders, change data, listen, monitor, and various other services.
Server intrusion, penetration testing, database deletion, data removal.
Taking orders.
@feijinhsa
After the file, the specific filename follows. Directory traversal issues must be considered.
Usually, the backend writes like this by directly concatenating with os.path.join, which can lead to arbitrary file read.
Try to directly read the startup command of the current program to check the absolute path of the current Web application.
Directly read app.py.
Found that there is a /shell route that can achieve Jinja2 template rendering.
Examine common SSTI injection.
Testing found that the environment is offline and cannot write files.
PS: Actually, if online, you can reverse shell via python. The environment lacks curl and ping commands, so the judgment was wrong, sob sob.
User permission is nobody, and the tmp directory also has permission restrictions,
which shattered our fantasy of writing echo commands.
Here we need to consider looking again for a WSGI-based memory shell or carrying it in the Response request header.
Usually, the backend writes like this by directly concatenating with os.path.join, which can lead to arbitrary file read.
Try to directly read the startup command of the current program to check the absolute path of the current Web application.
Directly read app.py.
Found that there is a /shell route that can achieve Jinja2 template rendering.
Examine common SSTI injection.
Testing found that the environment is offline and cannot write files.
PS: Actually, if online, you can reverse shell via python. The environment lacks curl and ping commands, so the judgment was wrong, sob sob.
User permission is nobody, and the tmp directory also has permission restrictions,
which shattered our fantasy of writing echo commands.
Here we need to consider looking again for a WSGI-based memory shell or carrying it in the Response request header.
Write to Server
Blacklist filtering
blacklist_patterns = [r'.*length.*', r'.*count.*', r'.*[0-9].*', r'.*\..*', r'.*soft.*', r'.*%.*']
Here, "soft" is filtered, but direct concatenation is filtered.
For accessing attributes and methods, use [] and the |attr() filter instead.
{{lipsum['globals']['builtins']['setattr']((((lipsum|attr('spec'))|attr('init')|attr('globals'))['sys']|attr('modules'))['wsgiref']|attr('simple_server')|attr('ServerHandler'),'server_so''ftware',lipsum['globals']['builtins']['import']('os')['popen']('/readflag')[ 'read']())}}
Write to http_version
It can be known that the ServerHandler class is based on SimpleHandler, and the parent class of SimpleHandler is BaseHandler.
A simple check shows that the response header writing is implemented in send_preamble.
Therefore, we can control not only server_software but also http_version, and we have implemented echoing the result in http_version.
@feijinhsa
Blacklist filtering
blacklist_patterns = [r'.*length.*', r'.*count.*', r'.*[0-9].*', r'.*\..*', r'.*soft.*', r'.*%.*']
Here, "soft" is filtered, but direct concatenation is filtered.
For accessing attributes and methods, use [] and the |attr() filter instead.
{{lipsum['globals']['builtins']['setattr']((((lipsum|attr('spec'))|attr('init')|attr('globals'))['sys']|attr('modules'))['wsgiref']|attr('simple_server')|attr('ServerHandler'),'server_so''ftware',lipsum['globals']['builtins']['import']('os')['popen']('/readflag')[ 'read']())}}
Write to http_version
It can be known that the ServerHandler class is based on SimpleHandler, and the parent class of SimpleHandler is BaseHandler.
A simple check shows that the response header writing is implemented in send_preamble.
Therefore, we can control not only server_software but also http_version, and we have implemented echoing the result in http_version.
@feijinhsa
Drag 010Editor.exe into x64dbg, press F9 to reach the main program entry, and find many jmp instructions. Press Shift+D to search for the string "Evaluation" (as shown in the screenshot above), and find 4 lines that might be registration success prompts.
Double-click any one of the registration success addresses to enter the code, and find that they are located in the same subroutine. Scroll up to find the first sentence of the subroutine (the 4th sentence is selected in the picture, but it doesn't really matter), set a breakpoint, then run. The registration information prompt indeed does not pop up, which indicates that this part of the program is verifying whether the software is registered. Select the cmp ebx,DB instruction, press Shift+C to copy the opcode, then in the current module, use "Match Features" to search, and paste the hexadecimal opcode.
@feijinhsa
Double-click any one of the registration success addresses to enter the code, and find that they are located in the same subroutine. Scroll up to find the first sentence of the subroutine (the 4th sentence is selected in the picture, but it doesn't really matter), set a breakpoint, then run. The registration information prompt indeed does not pop up, which indicates that this part of the program is verifying whether the software is registered. Select the cmp ebx,DB instruction, press Shift+C to copy the opcode, then in the current module, use "Match Features" to search, and paste the hexadecimal opcode.
@feijinhsa