Liferay Portal RCE | CVE-2020–7961

…..

In this write-up, I will explain how i managed to found my First RCE. which I believe is quite interesting. So Let’s jump right into the story.

i was asked to Scan a scope for a company that have about 25 domain so i picked up lets say “redirect.com” and started

Methodology — Getting Started with Target Domain

1- I started hunting with Finding the open ports first

nmap -sV -T4 -sC 10.10.10.10

8009/tcp open  ajp13  Apache Jserv (Protocol v1.3) | _ajp-methods:
8080/tcp open  http   Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.0.25)

2- started visiting the target domain like a normal user of the web application.

From the wappalyzer, I found the web application is using the Liferay 6.2

Here I decided to conduct research about Liferay 6.2

what is Liferay ?

Liferay Portal is a Java based CMS application, which is observed to be commonly used by many enterprises to manage their web content.

and i find out this version had l Unauthenticated < 7.2.1 CE GA2 — Remote Code Execution

Liferay Portal RCE via JSON Deserialization was published on 20 March 2020, tracked by CVE-2020–7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Below is the Liferay Portal RCE via JSON Deserialization vulnerability:

Vulnerable JSON end point: http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column

but still i’m not sure my Target is it vulnerable or not let’s see

let’s Go to The POC since the Target is Windows server ill Go with “systeminfo”

    payloads:
      command:
        - "systeminfo" # Windows
        - "lsb_release -a" # Linux

        POST /api/jsonws/expandocolumn/update-column HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        cmd2: systeminfo

My Full POC:

Liferay Portal Unauthenticated < 7.2.1 CE GA2 — Remote Code Execution · GitHub

Liferay Portal JSON RCE (CVE-2020–7961) References:

1. https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7961
3. https://nvd.nist.gov/vuln/detail/CVE-2020-7961
4. Liferay Portal Java Unmarshalling Remote Code Execution ≈ Packet Storm (packetstormsecurity.com)