Weblogic any unauthorized file upload vulnerability (CVE-2018-2894)
Vulnerability Overview:
-WebLogic unauthorized access there are two pages were /ws_utc/begin.do,/ws_utc/config.do, through the two pages can be uploaded directly webshell.
Vulnerabilities Version:
- weblogic 10.3.6.0,12.1.3.0,12.2.1.2,12.2.1.3
Vulnerability to build:
https://vulhub.org/#/environments/weblogic/CVE-2018-2894/
Vulnerability reproduction:
- ws_utc / config.do page to upload
first visit /ws_utc/config.do, first set about the path, because the default upload directory is not Web directory can not perform webshell, you can set about the path set here/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/css
(css access does not require any permissions)
and then submit save, upload webshell added security inside,
webshell access path,http://ip:7001/ws_utc/css/config/keystore/[时间戳]_[文件名]
(timestamp on the map id attribute)
- ws_utc / begin.do upload page
to access the page, then upload directly to the upper right corner, although the prompt upload failed, but in fact has been successfully uploaded.
Bug fixes:
1, set Config.do , begin.do page after login authorized to access;
2, upgrade upgrade upgrade to the latest version!
ps: a long rest, like him to teach.