In this write-up, I will explain how i managed to found my First RCE. which I believe is quite interesting. So Let’s jump right into the story.
i was asked to Scan a scope for a company that have about 25 domain so i picked up lets say “redirect.com” and started
Methodology — Getting Started with Target Domain
1- I started hunting with Finding the open ports first
nmap -sV -T4 -sC 10.10.10.10
8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | _ajp-methods:
8080/tcp open http Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.0.25)
2- started visiting the target domain like a normal user of the web application.
From the wappalyzer, I found the web application is using the Liferay 6.2
Here I decided to conduct research about Liferay 6.2
what is Liferay ?
Liferay Portal is a Java based CMS application, which is observed to be commonly used by many enterprises to manage their web content.
and i find out this version had l Unauthenticated < 7.2.1 CE GA2 — Remote Code Execution
Liferay Portal RCE via JSON Deserialization was published on 20 March 2020, tracked by CVE-2020–7961
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Below is the Liferay Portal RCE via JSON Deserialization vulnerability:
Vulnerable JSON end point: http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
but still i’m not sure my Target is it vulnerable or not let’s see
let’s Go to The POC since the Target is Windows server ill Go with “systeminfo”
- "systeminfo" # Windows
- "lsb_release -a" # Linux
POST /api/jsonws/expandocolumn/update-column HTTP/1.1
My Full POC:
Liferay Portal JSON RCE (CVE-2020–7961) References:
- Liferay Portal Java Unmarshalling Remote Code Execution ≈ Packet Storm (packetstormsecurity.com)