Open in app

Sign in

Write

Sign in

Liferay Portal RCE | CVE-2020–7961

0xweb01
3 min readSep 28, 2023

--

…..

In this write-up, I will explain how i managed to found my First RCE. which I believe is quite interesting. So Let’s jump right into the story.

i was asked to Scan a scope for a company that have about 25 domain so i picked up lets say “redirect.com” and started

Methodology — Getting Started with Target Domain

1- I started hunting with Finding the open ports first

nmap -sV -T4 -sC 10.10.10.10
8009/tcp open  ajp13  Apache Jserv (Protocol v1.3) | _ajp-methods:
8080/tcp open  http   Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.0.25)

2- started visiting the target domain like a normal user of the web application.

From the wappalyzer, I found the web application is using the Liferay 6.2

Here I decided to conduct research about Liferay 6.2

what is Liferay ?

Liferay Portal is a Java based CMS application, which is observed to be commonly used by many enterprises to manage their web content.

and i find out this version had l Unauthenticated < 7.2.1 CE GA2 — Remote Code Execution

Liferay Portal RCE via JSON Deserialization was published on 20 March 2020, tracked by CVE-2020–7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Below is the Liferay Portal RCE via JSON Deserialization vulnerability:

Vulnerable JSON end point: http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column

but still i’m not sure my Target is it vulnerable or not let’s see

let’s Go to The POC since the Target is Windows server ill Go with “systeminfo”

    payloads:
      command:
        - "systeminfo" # Windows
        - "lsb_release -a" # Linux
        POST /api/jsonws/expandocolumn/update-column HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        cmd2: systeminfo

My Full POC:

Liferay Portal Unauthenticated < 7.2.1 CE GA2 — Remote Code Execution · GitHub

Liferay Portal JSON RCE (CVE-2020–7961) References:

  1. https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7961
  3. https://nvd.nist.gov/vuln/detail/CVE-2020-7961
  4. Liferay Portal Java Unmarshalling Remote Code Execution ≈ Packet Storm (packetstormsecurity.com)
Bug Bounty
Cve 2020 7961
Rce
Liferay
Bugs

--

--

0xweb01
0xweb01

Written by 0xweb01

15 Followers
47 Following

Computer Engineer | Cyber Security Enthusiast | Bug Hunter | eWPTXv2 | RHCSA | CCNA

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams