CVE-2018-2894 weblogic arbitrary file upload vulnerability
On July 19, 2018, CNCERT issued a vulnerability warning that weblogic has a high-risk remote code execution vulnerability, which is essentially an arbitrary file upload vulnerability. There are two upload points:
/ws_utc/config.do
/ws_utc/begin.do
Affected versions: 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3.
The author of the vulnerability is my little friend, so I will try to reproduce it (mainly because CVE-2018-2893 has been engaged for a long time, and the reproduction does not come out, crying)
Recurrence process
First set up a local environment, I used 12.2.1.2 here
According to the prompt, the management address of the weblogic server is http: // localhost: 7001 / console . The vulnerability warning says that you can upload files without authentication. We directly visit one of the upload points to try
http: // localhost: 7001 / ws_utc / config. do , the page prompts automatic deployment, and then enters the configuration page.
Change the current working directory
To reproduce this vulnerability, you must first change the current working directory. The reason is that the uploaded file will be saved in the temporary working directory, which is the physical path corresponding to the current working directory. If you do not change this directory, when we access the uploaded file, the system will prompt that the file cannot be found. (0_0) I said why it can't be reproduced ..
To the current working directory must be changed to the appropriate directory in order for the application to access our files uploaded
what the appropriate directory, because the weblogic deployed in our local, so we can be relaxed look for.
Remember that when accessing ws_utc / config.do, the page prompts for automatic deployment, so look for any folders under the installation directory that have the file structure of web application deployment, such as WEB-INF, webapp, .war files, etc.
Ok, search WEB-INF, we found a few places
D:\install\weblogic_12.2.1.2.0\wls12212\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls\4mcj4y\war\WEB-INF
D:\install\weblogic_12.2.1.2.0\wls12212\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\consoleapp\z97wi8\.tld_cache\WEB-INF
D:\install\weblogic_12.2.1.2.0\wls12212\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\consoleapp\fl21lb\console-ext\jolt\WEB-INF
D:\install\weblogic_12.2.1.2.0\wls12212\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\consoleapp\fl21lb\console-ext\core-connector\WEB-INF
...
Follow each path and find only D:\install\weblogic_12.2.1.2.0\wls12212\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls\4mcj4y\war
the location where the application that we visit the most is deployed, try it and change the working directory to
D:\install\weblogic_12.2.1.2.0\wls12212\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls\4mcj4y\war\
upload files
In the security bar on the left, you can add JKS keystores. You can upload any file here. Note that this step grabs the package and finds the returned timestamp, because it is related to the file name of the file we uploaded.
Access uploaded files
After successful upload, directly visit
http://localhost:7001/ws_utc/config/keystore/时间戳_文件名
There is nothing to say about uploading files. The only thing you need to pay attention to is the step of changing the working directory. Since you do n’t know the upload path is not the location where the application is deployed, the uploaded file cannot be accessed after the upload is successful.