Weblogic CVE-2023-21931 漏洞挖掘技巧:后反序列化利用
2023-4-20 09:45:49 Author: thelostworld(查看原文) 阅读量:27 收藏


Goby 2 

6856    18 

 01 

近些年,Weblogic 反序列化漏洞一直围绕着反序列化的触发点进行漏洞挖掘,事实上还有很多存在反序列化但无法实时利用的点,在大家平时的漏洞挖掘中容易忽略。在行业内也有一些关于“后反序列化”的进一步讨论,这些看似无法利用的漏洞,其实可以通过一些后续的技巧完成稳定的利用效果。例如,进行 bind() 或 rebind() 操作后,并没有触发漏洞,此时可以尝试其他方法如 lookup()lookupLink() 等触发漏洞。

通过这种思路我们发现了两个 Weblogic 的后反序列化漏洞(CVE-2023-21931、CVE-2023-21839),获得了 Oracle 的官方确认。本文以这两个 Weblogic 漏洞为例,分享"后反序列化漏洞"的利用思路。我们相信还有很多这类的漏洞在未来会逐渐被挖掘出来,希望本篇文章能够给大家一些启发。

 02  

Weblogic  readObject()readResolve()readExternal()  Weblogic  Weblogic 

 Weblogic  bind()  rebind()  lookup()lookupLink() 

 lookup()  Weblogic 

 03  lookup

 lookup() 

  • Weblogic  BasicServerRef  invoke() 

  •  _invoke() Weblogic  resolve_any  resolve_any() 
  •  resolve_any()  resolveObject() 
  •  resolveObject()  lookup() 
  •  WLContextImplWLEventContextImpl WLEventContextImpl RootNamingNodeServerNamingNode BasicNamingNode  lookup()  BasicNamingNode  resolveObject() 
  •  resolveObject()  obj  NamingNode  mode  1 WLNamingManager  getObjectInstance() 

 WLNamingManager  getObjectInstance()  getReferent()  lookup()  CVE  getObjectInstance() 

 04  CVE-2023-21931

CVE-2023-21931  WLNamingManager  getObjectInstance()  boundObject  LinkRef  boundObject  getLinkName()  lookup()  getLinkName()  linkAddrType  JNDI  LinkRef  linkAddrType  JNDI  lookup()  JNDI 

package weblogic.jndi.internal;public final class WLNamingManager {    public static Object getObjectInstance(Object boundObject, Name name, Context ctx, Hashtable env) throws NamingException {        if (boundObject instanceof ClassTypeOpaqueReference) {            ......        } else if (boundObject instanceof LinkRef) {            String linkName = ((LinkRef)boundObject).getLinkName();            InitialContext ic = null;            try {                ic = new InitialContext(env);                boundObject = ic.lookup(linkName);  //             } catch (NamingException var15) {              ......            } finally {......}        }    }}

 JNDI  LinkRef LinkRef  Java  LinkRef  linkAddrType   getLinkName()  linkAddrType 

package javax.naming;public class LinkRef extends Reference {    static final String linkClassName = LinkRef.class.getName();    static final String linkAddrType = <span data-raw-text="" "="" data-textnode-index-1681866646750="276" data-index-1681866646750="2786" data-textnode-notemoji-index-1681866646750="2786" class="character">"LinkAddress<span data-raw-text="" "="" data-textnode-index-1681866646750="276" data-index-1681866646750="2798" data-textnode-notemoji-index-1681866646750="2798" class="character">";
public LinkRef(Name linkName) { super(linkClassName, new StringRefAddr(linkAddrType, linkName.toString())); }
public LinkRef(String linkName) { super(linkClassName, new StringRefAddr(linkAddrType, linkName)); }
public String getLinkName() throws NamingException { if (className != null && className.equals(linkClassName)) { RefAddr addr = get(linkAddrType); if (addr != null && addr instanceof StringRefAddr) { return (String)((StringRefAddr)addr).getContent(); } } throw new MalformedLinkException(); }}

rebind()  lookup()  WLNamingManager  getObjectInstance()  lookup()  JNDI 

 Goby  CVE-2023-21931  shell 

 05  CVE-2023-21839

ForeignOpaqueReference  OpaqueReference  ForeignOpaqueReference jndiEnvironment  remoteJNDIName env  remoteJNDIName

ForeignOpaqueReference  getReferent()  OpaqueReference  getReferent() retVal = context.lookup(this.remoteJNDIName);  remoteJNDIName  JNDI 

package weblogic.jndi.internal;public class ForeignOpaqueReference implements OpaqueReference, Serializable {    private Hashtable jndiEnvironment;    private String remoteJNDIName;        ......    public ForeignOpaqueReference(String remoteJNDIName, Hashtable env) {        this.remoteJNDIName = remoteJNDIName;        this.jndiEnvironment = env;    }    public Object getReferent(Name name, Context ctx) throws NamingException {        InitialContext context;        if (this.jndiEnvironment == null) {            context = new InitialContext();        } else {            Hashtable properties = this.decrypt();            context = new InitialContext(properties);        }        Object retVal;        try {            retVal = context.lookup(this.remoteJNDIName);   //         } finally {            context.close();        }        return retVal;    }    ......}

getReferent() 

package weblogic.jndi;public interface OpaqueReference {    Object getReferent(Name var1, Context var2) throws NamingException;    String toString();}

OpaqueReference getReferent()  toString();

ForeignOpaqueReference  getReferent()  WLNamingManager 

 WLNamingManager  getObjectInstance()  boundObject  OpaqueReference  getReferent()  boundObject = ((OpaqueReference)boundObject).getReferent(name, ctx);

 ForeignOpaqueReference  OpaqueReference  getReferent() 

package weblogic.jndi.internal;public final class WLNamingManager {  public static Object getObjectInstance(Object boundObject, Name name, Context ctx, Hashtable env) throws NamingException {        if (boundObject instanceof ClassTypeOpaqueReference) {            ......        } else if (boundObject instanceof OpaqueReference) {            boundObject = ((OpaqueReference)boundObject).getReferent(name, ctx);        } else if (boundObject instanceof LinkRef) {      ...        }    }}

CVE-2023-21931 CVE-2023-21839  ForeignOpaqueReference  getReferent()  lookup() 

 Goby  CVE-2023-21839  Shell 

 06  线

CVE-2023-21931

  • 2022  8  12  
  • 2022  8  19  
  • 2023  4  18  

CVE-2023-21839

  • 2022  7  31  
  • 2022  8  5  
  • 2023  1  16  

 07  

Vulfocus Weblogic 

docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.2.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.1.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.3.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.4.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.0.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:14.1.1.0.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.1.2.0.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.1.3.0.0-jdk-releasedocker pull vulfocus/vcpe-1.0-a-oracle-weblogic:10.3.6.0-jdk-release

 08  

1. Java - Ruilin (http://rui0.cn/archives/1338)
2. Ruil1n/after-deserialization-attack: Java After-Deserialization Attack (https://github.com/Ruil1n/after-deserialization-attack)

 Goby Beta 2.4.7Gobyhttps://gobysec.net/

 Goby 使

 su18 | Shell-JAVAWEB

 su18 | Goby

 su18 | Goby

 Corp0ra1 | ()

 14m3ta7k | WeblogicIIOP

 >>  

Goby /

稿 GobyGoby ///// PoC / IP 使/ Webshell / Goby ~~~

  • https://gobysec.net/sale


文章来源: http://mp.weixin.qq.com/s?__biz=MzIyNjk0ODYxMA==&mid=2247486887&idx=1&sn=6e3ee81f6b585e34d5966109b9e59854&chksm=e869eecadf1e67dc69450bf8108057c74ee4ee46abaaad4a54b4044dc307ac6cd40c90b6eef1#rd
如有侵权请联系:admin#unsafe.sh