Liferay Portal RCE | CVE-2020–7961

0xweb01
3 min readSep 28, 2023

--

…..

In this write-up, I will explain how i managed to found my First RCE. which I believe is quite interesting. So Let’s jump right into the story.

i was asked to Scan a scope for a company that have about 25 domain so i picked up lets say “redirect.com” and started

Methodology — Getting Started with Target Domain

1- I started hunting with Finding the open ports first

nmap -sV -T4 -sC 10.10.10.10
8009/tcp open  ajp13  Apache Jserv (Protocol v1.3) | _ajp-methods:
8080/tcp open http Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.0.25)

2- started visiting the target domain like a normal user of the web application.

From the wappalyzer, I found the web application is using the Liferay 6.2

Here I decided to conduct research about Liferay 6.2

what is Liferay ?

Liferay Portal is a Java based CMS application, which is observed to be commonly used by many enterprises to manage their web content.

and i find out this version had l Unauthenticated < 7.2.1 CE GA2 — Remote Code Execution

Liferay Portal RCE via JSON Deserialization was published on 20 March 2020, tracked by CVE-2020–7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Below is the Liferay Portal RCE via JSON Deserialization vulnerability:

Vulnerable JSON end point: http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column

but still i’m not sure my Target is it vulnerable or not let’s see

let’s Go to The POC since the Target is Windows server ill Go with “systeminfo”

    payloads:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux

--

--

0xweb01
0xweb01

Written by 0xweb01

Computer Engineer | Cyber Security Enthusiast | Bug Hunter | eWPTXv2 | RHCSA | CCNA