Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the discussion on how to analyze the security of WebLogic. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

1 what is WebLogic

WebLogic is a webserver produced by bea Company in the United States, just like the IIS,APACHE we use, it is indeed a middleware based on j2ee architecture. Webserver is a necessary software used to build a website to parse and publish web pages and other functions. It is developed with pure Java. At present, WebLogic occupies the largest share of the world webserver market, and other webserver software like IBM's websphere, free tomcat, resin and so on.

WebLogic is no stranger to people who travel in the security industry all day long. Website owners can use WebLogic to build web services, which can make full use of its scalability, flexible deployment, support for a variety of standards and other advantages; the so-called no absolute security, so as a mature product WebLogic every year there will be a variety of command execution, anti-sequence and other general loopholes, and as an attacker can make full use of these vulnerabilities to attack the system to harm the interests of users.

WebLogic's top 10 countries in the world are as follows:

Through preliminary statistics, WebLogic is widely used in China, supporting the core business of many enterprises, especially in finance, power, government and other industries, among which there are many intranet application systems.

The statistical chart of domestic middleware utilization is as follows:

2 Analysis of WebLogic vulnerabilities

With the increasing attention to the security of the Internet in recent years, WebLogic has also been exposed a large number of loopholes. By viewing the relevant information of cve, the earliest WebLogic vulnerability is CVE-2000-0499, so there is a version between WebLogic3.1.8 and 4.5.1. Remote attackers can view the source code of jsp programs through this vulnerability. WebLogic has been exposed 268 vulnerabilities since 2000 through cve official statistics.

Several deserialization vulnerabilities have been exposed in WebLogic, and Oracle has released a series of deserialization vulnerability patches one after another. However, recently, it has been exposed that the previous deserialization vulnerability patch has bypassed security risks, and after users update the patch, there are still cases where remote command attacks are bypassed and successfully executed.

Serialization refers to the conversion of objects into byte streams, which can be easily saved in memory, files, and databases, while deserialization is the reverse process of restoring byte streams to objects. The writeObject () method of the ObjectOutputStream class in Java can be serialized, and the readObject () method of the ObjectInputStream class is used for deserialization.

When the java class ObjectInputStream performs deserialization, it does not check its own input, which means that a malicious attacker may also be able to build specific input, resulting in abnormal results after ObjectInputStream class deserialization, which allows remote execution of arbitrary code.

WebLogic uses blacklists to filter dangerous deserialization classes, so as long as you find deserialization classes that are not within the scope of the blacklist, you can bypass the filtering and execute system commands. This time the vulnerability exploits the ability to perform arbitrary deserialization through the JRMP (Java Remote Messaging Protocol, a protocol specific to Java technology for finding and referencing remote objects).

Malicious attackers can take advantage of the anti-sequence message vulnerability to remotely execute commands by constructing malicious request messages, such as viewing relevant sensitive files on the server, remote upload of Trojans, etc., resulting in the disclosure of user sensitive files and attacks on the server. The sites with deserialization vulnerabilities are as follows:

In addition to deserialization vulnerabilities, WebLogic also has security vulnerabilities such as ssrf, weak password and xss. SetupUDDIExploer.jsp has ssrf and xss vulnerabilities. The code for xss is as follows:

The Ssrf vulnerability code is as follows

By submitting the following url:

Http://10.158.244.198:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.158.242.100:8080&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search, you can start the ssrf vulnerability.

3 WebLogic vulnerability statistics

The statistics of general vulnerabilities for WebLogic outbreaks are as follows:

Cve name affects version vulnerability harm CVE-2017-1017810.3.6.0 Magi 12.1.3.0, 12.2.1.1 12.2.1.2.Unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic ServerCVE-2017-1014810.3.6.0, 12.1.3.0, 12.2.1.1 and 12.2.1.2allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic ServerCVE-2017-1014710.3.6.0, 12.1.3.0 12.2.1.1 and 12.2.1.2allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic ServerCVE-2017-1013710.3.6.0 and 12.1.3.0allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic ServerCVE-2017-1012312.1.3.0allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server.CVE-2017-1006310.3.6.0, 12.1.3.0 12.2.1.1 and 12.2.1.2allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic ServeCVE-2017-353112.1.3.0,12.2.1.0,12.2.1.1 and 12.2.1.2allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic ServerCVE-2017-350610.3.6.0,12.1.3.0,12.2.1.0 12.2.1.1 and 12.2.1.2allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic ServerCVE-2017-324810.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server.4 how to prevent WebLogic vulnerabilities

Since WebLogic carries the release of system applications, its importance is inestimable, so how can we face the loopholes of WebLogic to ensure the security of the system, we can take the following measures:

Z. often pays attention to the security situation of weblogi and upgrades or patches the latest vulnerabilities that break out.

* close the opening of WebLogic on the public network as far as possible, which is limited to the maintenance and management of the internal network

* modify the default port 7001 of WebLogic and the default access path of the background

The server is inspected regularly to see if any files have been maliciously modified.

The deployment of security measures such as waf can reduce the harm of this vulnerability to some extent.

If the business does not need the UDDI function, turn it off to delete the uddiexporer folder

After reading the above, do you have any further understanding of how to parse WebLogic security? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.