Weblogic 反序列化漏洞利用 - 安全牛课堂 - 先进的信息安全在线教育平台

抄底福利来袭！TOP5 课程低价狂欢！保价 618>>

264人
分享


收藏

Weblogic 反序列化漏洞利用

购买过企业安全测试与实践、安全技术会员课程的学员不要再买此课程

价格 199.00元

学习有效期 365天（随到随学）

立即购买会员免费学

简介

Java 序列化与反序列化

Java 序列化是指把 Java 对象转换为字节序列的过程便于保存在内存、文件、数据库中，ObjectOutputStream类的 writeObject() 方法可以实现序列化。
Java 反序列化是指把字节序列恢复为 Java 对象的过程，ObjectInputStream 类的 readObject() 方法用于反序列化。

序列化与反序列化是让 Java 对象脱离 Java 运行环境的一种手段，可以有效的实现多平台之间的通信、对象持久化存储。

Java反序列化漏洞历史
最为出名的大概应该是：15年的Apache Commons Collections 反序列化远程命令执行漏洞，其当初影响范围包括：WebSphere、JBoss、Jenkins、WebLogic 和 OpenNMSd等。

Apache Commons Collections 3和4，Groovy，Spring，只要目标应用的Class Path中包含这些库，可让readObject()实现任意命令执行。影响比较广泛的就是Apache Commons Collections这个库，中间件基本都会涉及使用此库。

Weblogic Java反序列化漏洞介绍
因为weblogic底层也使用Apache Commons Collections库，WebLogic 存在Java反序列化漏洞无疑的。以下是基于Weblogic t3协议引起远程代码执行的反序列化漏洞统计：

CVE-2015-4852

CVE-2016-0638

CVE-2016-3510

CVE-2017-3248

CVE-2018-2628

从2015年一直修到2018年，反复修，反复被绕过，基于t3协议的Java反序列化漏洞还在继续。因为Apache Commons Collections 这个库使用太广泛了，市面主流中间件、Spring、fastjson 等都使用这个库。Oracle的Weblogic补丁是采用黑名单的方式过滤危险的反序列化类，每次新出现一种漏洞就提供一个新的黑名单，这种方式极不安全的。一旦黑客发现新的漏洞，绕过这个黑名单就能攻击。

学习目录

[{"itemType":"task","number":"1","published_number":"1","title":"Weblogic\u7cfb\u5217\u6f0f\u6d1e\u5229\u7528\u5b9e\u8df5","result":"","resultStatus":"","lock":false,"status":"published","taskId":"247647","isOptional":"0","type":"video","isTaskFree":"0","watchLimitRemaining":false,"replayStatus":"","activityStartTimeStr":"","activityStartTime":"","activityLength":"02:03:06","activityEndTime":"","fileStorage":"cloud","isTaskTryLookable":1,"isTaskShowModal":true,"isSingleTaskLesson":true},{"itemType":"task","number":1,"published_number":0,"title":"Weblogic\u7cfb\u5217.pdf","result":"","resultStatus":"","lock":false,"status":"published","taskId":"291253","isOptional":"0","type":"download","isTaskFree":"0","watchLimitRemaining":false,"replayStatus":"","activityStartTimeStr":"","activityStartTime":"","activityLength":"","activityEndTime":"","fileStorage":"","isTaskTryLookable":0,"isTaskShowModal":false,"isSingleTaskLesson":false},{"itemType":"task","number":"2","published_number":"2","title":"Weblogic\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u6df1\u5165\u7406\u89e3\u548c\u5b9e\u8df5\uff08\u4e00\uff09","result":"","resultStatus":"","lock":false,"status":"published","taskId":"247662","isOptional":"0","type":"video","isTaskFree":"0","watchLimitRemaining":false,"replayStatus":"","activityStartTimeStr":"","activityStartTime":"","activityLength":"02:20:57","activityEndTime":"","fileStorage":"cloud","isTaskTryLookable":1,"isTaskShowModal":true,"isSingleTaskLesson":true},{"itemType":"task","number":"3","published_number":"3","title":"Weblogic\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e(Commons-Collections)\u6df1\u5165\u7406\u89e3\u548c\u5b9e\u8df5\uff08\u4e8c\uff09","result":"","resultStatus":"","lock":false,"status":"published","taskId":"247663","isOptional":"0","type":"video","isTaskFree":"0","watchLimitRemaining":false,"replayStatus":"","activityStartTimeStr":"","activityStartTime":"","activityLength":"01:08:27","activityEndTime":"","fileStorage":"cloud","isTaskTryLookable":1,"isTaskShowModal":true,"isSingleTaskLesson":true},{"itemType":"task","number":"4","published_number":"4","title":"Weblogic JRMP\u7cfb\u5217\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u6df1\u5165\u7406\u89e3\u548c\u5b9e\u8df5\uff08\u4e09\uff09","result":"","resultStatus":"","lock":false,"status":"published","taskId":"247664","isOptional":"0","type":"video","isTaskFree":"0","watchLimitRemaining":false,"replayStatus":"","activityStartTimeStr":"","activityStartTime":"","activityLength":"02:16:56","activityEndTime":"","fileStorage":"cloud","isTaskTryLookable":1,"isTaskShowModal":true,"isSingleTaskLesson":true},{"itemType":"task","number":"5","published_number":"5","title":"Weblogic\u7cfb\u5217RCE\u6f0f\u6d1e(CVE-2018-2893-2894-3191)\u5206\u6790\u548c\u5b9e\u8df5","result":"","resultStatus":"","lock":false,"status":"published","taskId":"247665","isOptional":"0","type":"video","isTaskFree":"0","watchLimitRemaining":false,"replayStatus":"","activityStartTimeStr":"","activityStartTime":"","activityLength":"02:18:58","activityEndTime":"","fileStorage":"cloud","isTaskTryLookable":1,"isTaskShowModal":true,"isSingleTaskLesson":true}]