Weblogic middleware deserialization vulnerability and related
Common vulnerabilities are: weak password, Java deserialization vulnerability operation (CVE-2018-2628), arbitrary file upload vulnerability operation (CVE-2018-2894), XML
Decoder deserialization vulnerability operation (CVE-2017-10271), SSRF
vulnerability (select UDDI component when installing Weblogic), deserialization vulnerability (CVE-2019-2725
reference https://www.0dayhack.com/post-883.html)
Weak password
管理地址
http://localhost:7001/console/login/LoginForm.jsp(默认端口7001)
可以部署一个webshell
Deserialization vulnerability
16 years of deserialization vulnerability
java反序列化利用工具
输入攻击地址,上传马,利用
补充:这个工具支持jobss weblogic webSphere jenkins(源代码部署软件)
CVE-2018-2628
K8 weblogicGUI工具
填写IP,端口,点击getshell,得到webshell地址,进入
报500为成功
404不成功
之后用k8fly 飞刀进行连接
cmdshell
CVE-2019-2725
需要PY3,有时间补充
Any file upload (CVE-2018-2894)
The reason for the vulnerability is that the file /ws_utc/config.do can be accessed directly without authorization
Specific operation:
Unauthorized access path: http://192.168.0.127:7001/ws_utc/config.do Weblogic default path:
C: \ Oracle \ Middleware \ Oracle_Home \ user_projects \ domains \ base_domain \ tmp \ WSTestPageWorkDir
we changed to the following path
C: \ Oracle \ Middleware \ Oracle_Home \ user_projects \ domains \ base_domain \ servers \ AdminServer \ tmp_WL_internal \ wstestclient \ i7n5e1 \ war \ css
This is because this path is authorized, the default path is that even after we upload it, there is no permission to operate, yes It's useless
点击安全
添加,名称密码随意
选择文件上传,上传木马
传完木马就可以利用了吗?这里注意,文件名会被加上一个时间
右键,检查,找到一个时间轴,id="xxxxxx"
上传到服务器的完整名称就为xxxxx_2019.jsp
木马上传上去之后,访问方式如下:
http://192.168.0.127:7001/ws_utc/css/config/keystore/1567568546449_2019.jsp
SSRF漏洞还原
可参考:https://www.jianshu.com/p/97b157a20108