1. Vulnerability Details
Affected versions weblogic 10.3.6.0, weblogic 12.1.3.0, weblogic 12.2.1.2, weblogic 12.2.1.3
WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture . WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. Introduce the dynamic functions of Java and the security of Java Enterprise standard into the development, integration, deployment and management of large-scale network applications.
There is a file upload vulnerability in an upload point of WebLogic, which allows uploading any jsp file to obtain server permissions.
2. Recurrence process
Build a docker environment
docker-compose up -d
Visit http://192.168.239.128:7001/console
docker-compose logs | grep password
You can view the administrator account and password
The administrator username is weblogic and the password is NM77cubp
Successful login with account and password
Log in to the background and configure
Click the configuration of base_domain, check the 'Enable Web Service Test Page' option in 'Advanced', and then save the configuration.
Visit http://192.168.239.128:7001/ws_utc/config.do
Set Work Home Dir to
/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css
ws_utc应用的静态文件css目录是无需访问权限的,而默认的工作目录即使上传成功,也无法访问。
如果不更改,访问会返回404
点击提交
上传木马,连接成功
点击“安全”——“添加”——上传木马
点击提交,名字随意
上传了两个文件,下面测试第二个test的
f12查看时间戳(id=1677669228778)
时间戳的主要 目的在于通过一定的技术手段,对数据产生的时间进行认证,从而验证这段数据在产生后是否经过篡改
访问http://192.168.239.128/ws_utc/css/config/keystore/[时间戳]_[文件名]
http://192.168.239.128:7001/ws_utc/css/config/keystore/1677669228778_1.jsp
哥斯拉连接成功