WebLogic arbitrary file upload _CVE-2018-2894 A remote code execution vulnerability reproducibility
First, Vulnerability Description
Weblogic management side there is unauthorized in any two pages upload getshell vulnerabilities can get permission directly. Update Oracle in July to repair a Weblogic Web Service Test Page in an arbitrary file upload vulnerability, Web Service Test Page does not open in the default "mode of production", so the vulnerability is limited. Two pages are /ws_utc/begin.do,/ws_utc/config.do.
Second, the flaw affects versions
Oracle WebLogic Server, version 10.3.6.0,12.1.3.0,12.2.1.2,12.2.1.3
Third, the vulnerability reproduction and environmental structures
1, the use of docker environment to build vulhub environment
2, run the following command to start the weblogic service
cd vulhub/weblogic/CVE-2018-2894/
docker-compose build
docker-compose up -d
3, after starting the environment, access http://172.17.0.1:7001/console, you can see the login page background
4, execution docker-compose logs | grep password to view the administrator password, the administrator user name weblogic, password DMZkS7RT
5, landing back page, click base_domain configuration, turn on "Enable Web Services Test Page" option in the "Advanced", and then save the configuration
6, access http://172.17.0.1:7001/ws_utc/config.do, set Work Home Dir is /u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls .ws-testclient-app-wls / 4mcj4y / war / css
7, then click on the "Security" -> "Add", then upload jsp Malaysia
8、审查元素,查看时间戳
9、访问http://172.17.0.1:7001/ws_utc/css/config/keystore/1562558927056_mkzy.jsp
10.输入jsp大马密码
四、漏洞防御
1、 设置config.do,begin.do页面登录授权后访问
2、 IPS等防御产品可以加入相应的特征
3、 升级到官方的最新版本
参考链接: https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2018-2894