Shulou(Shulou.com)05/31 Report--

This article introduces the Weblogic vulnerability CVE-2019-2725 example analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Overview of 0x01

0x02 in depth

The construction method can refer to this CVE-2017-17485.

First take a look at the payload of this vulnerability.

Looking at how to exploit this vulnerability, we found that the way to exploit this vulnerability is to load a malicious xml file through the org.springframework.context.support.FileSystemXmlApplicationContext method, and the relevant payload can be triggered by spel expressions in the above xml file.

Going back to this weblogic, weblogic also has this related constructor, so we can try this payload first and find that it cannot be used during the test. If we take a closer look at the code, we find that weblogic parses the class com.bea.core.repackaged.springframework.beans.factory.support.BeanDefinitionValueResolver of the xml file.

I'll make a breakpoint here and enter like this.

The operation after com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext is obvious.

This place has one less expression parsing method than the payload trigger position of CVE-2017-17485.

Object valueObject=evaluate (TypedStringValue)

That is to say, there is no way for xml to start operating on the bean pb by doing something like # {pb.start ()}. So we need to adjust the payload here, and the result of my adjustment is as follows.

There are three ways to define the operations done before the spring container initializes the bean and destroys the bean: the first is to initialize and destroy the bean through @ PostConstruct and @ PreDestroy methods.

The second is by defining init-method and destory-method methods in xml

The third is to implement InitializingBean and DisposableBean interfaces through bean.

The payload triggered by the vulnerability of CVE-2017-17485 uses the method of spel expression to register bean. However, we cannot use spel expression here because of the lack of relevant parsing files. Here we can use the init-method method to solve this problem. We can look at an example first.

The test procedure is as follows:

Public class TestInitMethod {public void testInit () {System.out.println ("test init-method");}}

The configuration file is as follows:

/ / spring.xml

The main program of Main is as follows:

Public class Main {public static void main (String [] args) {ClassPathXmlApplicationContext context1 = new ClassPathXmlApplicationContext ("spring.xml");}}

Print the following results:

Test init-method

Why there is no way to support spel here, my idea may be that the spring version is too low to support spel expressions. Of course, FileSystemXmlApplicationContext inherits AbstractXmlApplicationContext and ClassPathXmlApplicationContext inherits AbstractXmlApplicationContext. So in theory, this class is fine, but try it, so can OK.

This is the end of the example analysis of Weblogic vulnerability CVE-2019-2725. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.